-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
runtime,agent: Add AppArmor support on the guest side #7587
base: main
Are you sure you want to change the base?
Conversation
Experiments with containerdRequirements
sudo sed -i '/^disable_guest_apparmor/ s/true/false/g' /etc/kata-containers/configuration.toml Or enable it using the pod-level annotation in your "annotations": {
"io.katacontainers.config.hypervisor.disable_guest_apparmor": "false"
}
The $ script -fec 'sudo -E GOPATH=$GOPATH USE_DOCKER=true APPARMOR=yes ./rootfs.sh ubuntu'
$ script -fec 'sudo -E USE_DOCKER=true ./image_builder.sh ${ROOTFS_DIR}' Qemu or CloudHypervisorKata containers with qemu or cloudhypervisor via 1. Launch Kata containers with AppArmor (default profile
|
/test |
520ed53
to
a1593d4
Compare
/test |
a1593d4
to
dbf89d1
Compare
/test |
/test-power |
/test-dragonball |
/test-power |
dbf89d1
to
a99e447
Compare
/test |
Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: kata-containers#5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: kata-containers#5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: kata-containers#5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: kata-containers#5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: kata-containers#5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: kata-containers#5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: kata-containers#5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: kata-containers#5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: kata-containers#5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: kata-containers#5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: kata-containers#5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: kata-containers#5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: kata-containers#5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Add a test case which check whether AppArmor inside the guest works properly using containerd. The test creates a container configured to apply the `kata-default` profile, then it checks the container process is running with the profile enforced. Fixes: kata-containers#5748 Depends-on: github.com/kata-containers/kata-containers#7587 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Pass AppArmor profile for containers to the agent if `disable_guest_apparmor` is set to `false` in the runtime configuration or `io.katacontainers.config.hypervisor.disable_guest_apparmor` is set to `false` in the K8s yaml file. The 'kata-default' based on the containerd's default profile is applied to the container process inside the guest by default. Users can also set a custom AppArmor profile to the container process using `guest_apparmor_profile` in the runtime configuration or `io.katacontainers.config.runtime.guest_apparmor_profile` in the K8s yaml file. This will be an alternative configuration of Kubernetes' annotation, `container.apparmor.security.beta.kubernetes.io` for AppArmor because users cannot apply AppArmor profiles to the container via Kubernetes' configuration. To apply the profile to the container, the guest rootfs must be Ubuntu or Debian that is created with `APPARMOR`=yes. Fixes: kata-containers#7586 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Pass AppArmor profile for containers to the agent if `disable_guest_apparmor` is set to `false` in the runtime configuration or `io.katacontainers.config.hypervisor.disable_guest_apparmor` is set to `false` in the K8s yaml file. The 'kata-default' based on the containerd's default profile is applied to the container process inside the guest by default. Users can also set a custom AppArmor profile to the container process using `guest_apparmor_profile` in the runtime configuration or `io.katacontainers.config.runtime.guest_apparmor_profile` in the K8s yaml This will be an alternative configuration of Kubernetes' annotation, `container.apparmor.security.beta.kubernetes.io` for AppArmor because users cannot apply AppArmor profiles to the container via Kubernetes' configuration. To apply the profile to the container, the guest rootfs must be Ubuntu or Debian that is created with `APPARMOR`=yes. Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Add the description about how to enable AppArmor for containers running inside the guest. Fixes: kata-containers#7586 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
0c9bb32
to
d0e888e
Compare
/test |
/test-dragonball |
1 similar comment
/test-dragonball |
Updates: Besides, the test kata-containers/tests#5749 passed. This PR is ready for the merge. |
@fidencio @amshinde @bergwolf @jiangliu After this is merged into the mainline, I'll prepare for adding the |
I'm adding thsi to my list, but it won't happen during this week, sorry. |
This PR has been opened without with no activity for 180 days. Comment on the issue otherwise it will be closed in 7 days |
Kata containers support AppArmor for containers running inside the guest in order to improve security.
Containers inside the guest are launced with the Kata default profile (
kata-default
) applied ifdisable_guest_apparmor
is set tofalse
in the runtime configuration. Thekata-default
based on the containerd's default profile is applied to the container process inside the guest by default. Users can also set a custom AppArmor profile to the container process usingguest_apparmor_profile
in the runtime configuration. This will be an alternative configuration of the Kubernetes' annotation,container.apparmor.security.beta.kubernetes.io
, for AppArmor because Kata users cannot apply AppArmor profiles to the guest container via Kubernetes' configuration. To apply the profile to the container, the guest rootfs must be Ubuntu or Debian that is created withAPPARMOR=yes
. Thekata-default
is stored under/etc/apparmor.d
in the rootfs. This works only if the init service is systemd, not the agent init.Fixes: #7586
Signed-off-by: Manabu Sugimoto Manabu.Sugimoto@sony.com