Skip to content

Latest commit

 

History

History
executable file
·
106 lines (66 loc) · 2.84 KB

26-Lab-AppArmor.md

File metadata and controls

executable file
·
106 lines (66 loc) · 2.84 KB
Raw

Lab - AppArmor

  • Take me to the Lab

Solutions Lab - AppArmor:

  1. AppArmor is in beta state as of version 1.20.

  2. Is the AppArmor module loaded in controlplane? 
    aa-status
  3. How many AppArmor profiles have been loaded in total currently?

    From the output of aa-status in the previous question, answer is on the second line of output.

  4. How many AppArmor profiles have been loaded in enforce mode currently?

    From the output of aa-status in Q2, answer is on the third line of output.

  5. A pod called nginx has been deployed in the default namespace.
    What is the status of this pod?     
    kubectl get pods

    Check STATUS column.

  6. Why is this pod in a blocked state?

    Inspect the error message for this pod by running

    kubectl describe pod nginx
  7. What is the name of the AppArmor profile used by this pod?

    From the output of the command run for the previous question, get the profile name from the error message.

  8. Load the AppArmor profile called custom-nginx on controlplane and make sure that it is in enforced mode.

    The profile file is called usr.sbin.nginx located in the default AppArmor profiles directory.

    The default profiles directory is /etc/apparmor.d

    apparmor_parser -q /etc/apparmor.d/usr.sbin.nginx

  9. Information only.

  10. This custom nginx pod serves static web pages at two urls... Which tabs are you able to access?

    Press the Site button. A browser tab will open on the root directory of the site. Duplicate the tab and append /allowed/ to one and /restricted/ to the other.

  11. Information only.

  12. Let's fix that. Another profile is created at /etc/apparmor.d/usr.sbin.nginx-updated which prevents reads on the restricted directory inside the container.

    Use this AppArmor profile and recreate this container.

    Make sure restricted-nginx is loaded by running

    aa-status

    If not loaded, then run

    apparmor_parser -q /etc/apparmor.d/usr.sbin.nginx-updated

    If you re-run aa-status you should now see the new profile restricted-nginx in the list of enforce mode profiles.

    The pod definition file is present at /root/CKS/custom-nginx.yaml

    Update the pod YAML file's annotation with the restricted-nginx apparmor profile and then recreate the pod.

  13. Retry the site.