CKS Mock Exam 1 Q1 - apparmor

Alexandre · January 8, 2024, 3:55pm

Hello,

apparmor_parser -q /etc/apparmor.d/frontend

This command does not prevent the /internal/ page from being displayed, even though this is what is expected. Why is this?

rob_kodekloud · January 8, 2024, 8:18pm

apparmor_parser takes the apparmor definition file and makes it available to apparmor. But your pods don’t automatically respect the new definition; you need to make a particular pod use apparmor, by adding the needed annotation to it.

Alexandre · January 9, 2024, 7:39am

So the proposed correction is not complete, if I understand correctly.

rob_kodekloud · January 9, 2024, 3:42pm

What do you mean by “the proposed correction”? You register the apparmor file using the command; you add an annotation to a pod to “opt in” to that code.

Alexandre · January 10, 2024, 8:22am

Sorry, I should have used the term “solution” instead of “correction”. The solution does not mention the addition of the annotation in the Pod definition.

rob_kodekloud · January 10, 2024, 8:21pm

Where are you looking? The annotation is mentioned in the correction/solutions screen of the mock exam, and is also mentioned in the solutions page of the CKS repo.

From the End of Exam page:

  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: localhost/restricted-frontend #Apply profile 'restricted-fronend' on 'nginx' container

Alexandre · January 10, 2024, 8:33pm

This is not the case in the solution after the end of the exam, during the scoring phase.

rob_kodekloud · January 10, 2024, 9:55pm

No, it’s definitely in there. Scroll down a bit; I looked at this today, and the text I copied is from exactly there.

Kirill-Yesikov · April 28, 2024, 8:27pm

Hello, I am taking my exam in May this year. In the Kubernetes docs (which are for 1.30 version) apparmor has a dedicated spec field now under the appArmorProfile under the securityContext. As far as I know the exam is on Kubernetes 1.29 . How can I use the annotation , would you suggest?

rob_kodekloud · April 28, 2024, 8:53pm

Guessing what LF will do with CKS is something of a fool’s game. The safest approach is to know the 1.29 based annotation approach, and the 1.30 based securityContext. appArmorProfile.type approach. I’m not sure if the annotation approach will even work with 1.30, so if you have the opportunity to test this on a 1.30 system, you should do so.

Kirill-Yesikov · April 30, 2024, 3:12pm

Hello. Thanks for the response. I have a test cluster with 1.30. I might try it , not really interested though:) cause I found a link Well-Known Labels, Annotations and Taints | Kubernetes

Kirill-Yesikov · April 30, 2024, 3:25pm

Just one last thing .Watch out for the workload types using replicas spec. Mind you annotation is for the “metadata” template, therefore goes under spec.template.metadata.annotations