We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AppArmor 可以配置为任何应用程序减少潜在的攻击面,并且提供更加深入的防御,AppArmor 可以通过限制允许容器执行的操作, 和通过系统日志提供更好的审计来帮助你运行更安全的部署
工作模式 Apparmor有两种工作模式:
enforcing(强制模式)
遵循配置文件的规则限制,阻止访问不允许访问的资源
complain(警告模式)
遵循配置文件的规则限制,对访问禁止的资源发出警告但不做限制 [root@node3 ~]# apparmor_parser -q <<EOF #include <tunables/global>
profile k8s-apparmor-deny-write flags=(attach_disconnected) { #include <abstractions/base> file, deny /** w, } EOF
root@node3:~# cat /sys/kernel/security/apparmor/profiles | grep k8s-apparmor-deny-write k8s-apparmor-deny-write (enforce)
[root@master1 ~]# cat busybox-test.yaml apiVersion: v1 kind: Pod metadata: name: hello-apparmor labels: app: nginx annotations: container.apparmor.security.beta.kubernetes.io/test: localhost/k8s-apparmor-deny-write # 表示对nginx容器应用本地的k8s-apparmor-deny-write策略 spec: nodeName: node3.xiaowangc.local # 由于Pod的创建是通过调度器可能不会调度到Ubuntu节点,我就直接使用节点选择器测试 containers:
The text was updated successfully, but these errors were encountered:
Sorry, something went wrong.
No branches or pull requests
AppArmor(Application Armor)是Linux内核的一个安全模块,AppAromor允许系统管理员将每个程序与一个安全配置文件关联,从而限制程序的功能。AppArmor是与SELinux类似的一个访问控制系统,通过它可以指定程序可以读、写或运行哪些文件,是否可以打开网络端口等。作为对传统Unix的自主访问控制模块的补充,AppAromor提供了强制访问控制机制。
AppArmor 可以配置为任何应用程序减少潜在的攻击面,并且提供更加深入的防御,AppArmor 可以通过限制允许容器执行的操作, 和通过系统日志提供更好的审计来帮助你运行更安全的部署
工作模式
Apparmor有两种工作模式:
enforcing(强制模式)
遵循配置文件的规则限制,阻止访问不允许访问的资源
complain(警告模式)
遵循配置文件的规则限制,对访问禁止的资源发出警告但不做限制
[root@node3 ~]# apparmor_parser -q <<EOF
#include <tunables/global>
profile k8s-apparmor-deny-write flags=(attach_disconnected) {
#include <abstractions/base>
file,
deny /** w,
}
EOF
查看是否加载
root@node3:~# cat /sys/kernel/security/apparmor/profiles | grep k8s-apparmor-deny-write
k8s-apparmor-deny-write (enforce)
[root@master1 ~]# cat busybox-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: hello-apparmor
labels:
app: nginx
annotations:
container.apparmor.security.beta.kubernetes.io/test: localhost/k8s-apparmor-deny-write
# 表示对nginx容器应用本地的k8s-apparmor-deny-write策略
spec:
nodeName: node3.xiaowangc.local # 由于Pod的创建是通过调度器可能不会调度到Ubuntu节点,我就直接使用节点选择器测试
containers:
image: busybox
command: ["sh", "-c", "echo 'Hello xiaowangc!' && sleep 1h"]
The text was updated successfully, but these errors were encountered: