k8s安全07--使用AppArmor限制容器访问资源

k8s安全07--使用AppArmor限制容器访问资源

• ​​1 介绍​​
• ​​2 操作案例​​

• ​​2.1 apparmor 基础命令​​
• ​​2.2 通过AppArmor 限制pod访问的资源​​

• ​​3 注意事项​​
• ​​4 说明​​

1 介绍

AppArmor is a kernel enhancement to confine programs to a limited set of resources. AppArmor’s unique security model is to bind access control attributes to programs rather than to users.
AppArmor confinement is provided via profiles loaded into the kernel via apparmor_parser(8), typically through the /etc/init.d/apparmor SysV initscript, which is used like this: /etc/init.d/apparmor start
| stop | restart

2 操作案例

2.1 apparmor 基础命令

查看使用方法
# man apparmor

查看
# apparmor_status | grep your_
# cd /etc/apparmor.d
# apparmor_parser -q your_profile_file
# apparmor_status | grep your_profile_name

2.2 通过AppArmor 限制pod访问的资源

1 创建 profile

cd /etc/apparmor.d
vim k8s-apparmor-example-deny-write

#include <tunables/global>

profile k8s-apparmor-example-deny-write flags=(attach_disconnected) {
  #include <abstractions/base>

  file,

  # Deny all file writes.
  deny /** w,
}

2 启动 profile

# apparmor_parser k8s-apparmor-example-deny-write
# apparmor_status |grep k8s

3 新增pod配置

$ wget https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/pods/security/hello-apparmor.yaml

$ cat hello-apparmor.yaml
apiVersion: v1
kind: Pod
metadata:
  name: hello-apparmor
  annotations:
    container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-deny-write
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]

$ kubectl apply -f hello-apparmor.yaml
pod/hello-apparmor created

4 测试deny write 配置

$ kubectl exec hello-apparmor -- cat /proc/1/attr/current
k8s-apparmor-example-deny-write (enforce)
$ kubectl exec hello-apparmor -- touch /apparmor.txt
touch: /apparmor.txt: Permission denied
command terminated with exit code 1

3 注意事项

1. 更多使用说明请参考 man apparmor
2. k8s 中使用格式说明

container.apparmor.security.beta.kubernetes.io/<container_name>: <profile_ref>

container_name 对应的是具体的容器名称，可以直接填写pod名称；
profile_ref一般为 localhost/k8s-apparmor-example-deny-write(/etc/apparmor.d 下的profile 名称)

4 说明

​​Restrict a Container’s Access to Resources with AppArmor​​​​docs/tutorials/clusters/apparmor/​​​​docs.docker.com/engine/security/apparmor/​​