Azure Kubernetes Service Series
Using AppArmor in Azure Kubernetes Service
Azure | Kubernetes | DevOps | AppArmor | Security | Docker
--
What is AppArmor
AppArmor is a Linux Kernal Security Module which allows Sys admin to restrict programs access to certain resources defined in profiles. The security profile allows or disallows specific capabilities, such as network access or file rwx permissions etc. AppArmor can be configured for any application to reduce its potential attack surface and provide a greater in-depth defense.
AppArmor does this with profiles loaded into the kernel when the system starts. It’s a Mandatory Access Control or MAC that binds access control attributes to programs rather than to users. It works as a profile loaded into the kernel at boot level.
There are 2 types of profiles in AppArmor (saved at /etc/apparmor.d)/ —
Enforcement: enforcement of the policy defined in the profile as well as reporting policy violation attempts (either via Syslog or audits).Complain: report policy violation attempts only
AppArmor in Docker
Consider there is a Ubuntu Linux node and you have AppArmor configured on it. By the way In Ubuntu, AppArmor is installed and enabled by default. The /etc/apparmor.d directory is where the AppArmor profiles are located. Now to run containers sysadmin performs the installation of Docker on it, one of the most utilized and maturedContainer Runtime Engine.
Now onwards, whenever you run a container on this node, Docker automatically generates and loads a default AppArmor profile named docker-default. Even you can see the same in docker info command output.
If the above output does not return a line with apparmor then your system does not have AppArmor enabled in its kernel.
Please note AppArmor is a Linux Kernel feature so if you want docker to utilize it at the container level then it must be enabled onto the host. You can verify…
