Member-only story
Secure Your Kubernetes Cluster With AppArmor
A hands-on guide to enabling AppArmor for your container workloads
AppArmor is a standard Linux Security Module implementation that allows you to enforce fine-grained control over your Linux system, over and above the group and user-level permissions. So, it helps restrict your programs to only the limited set of resources, files, and other permissions it needs to work. In addition, it enables you to implement the Principle of Least Privilege within your container applications.
Most containers that are available in the market use base images that are standard Linux distributions. While using a distribution like Alpine as a base image can help reduce the attack surface to a large extent as it does not contain unnecessary package managers and other bloatware, we still need to restrict the container process to only do what it intends to do, i.e., it should only modify files, and run commands that it needs to — everything else should be denied.
AppArmor helps in implementing this approach. However, while AppArmor helps tremendously in reducing the attack surface, it has its limitations. Therefore, it should not be taken as a silver bullet, and other ways to secure the containers should also be considered.
AppArmor uses profiles that contain specific rules that allow or deny a particular operation. You can use AppArmor profiles in the “enforce” or the “audit” mode (also known as the complain mode). When you don’t know enough about a particular program, it is best to first run it in the complain mode and see what legitimate operations your container process is performing. You can then add the required operations within the profile and deny everything else using the enforce mode.
As AppArmor is a standard Linux feature, the profiles should be loaded onto the Kubernetes nodes. While you can do so manually by copying the profile files over to all nodes of your Kubernetes cluster, use an Ansible or similar startup scripts, it doesn’t work very well in Managed offerings like the GKE where your nodes autoscale with traffic as well and initializing new nodes with AppArmor profiles may not be straightforward.
An elegant solution to this problem is using DaemonSets to configure the AppArmor…
