Hello, I am facing issues in creating an app armor enabled pod to start on the . . .

Kubernetes-Slack Discussions
#1

Sid B:
Hello,

I am facing issues in creating an app armor enabled pod to start on the node. I am following the same video from the lectures.

Below is my Pod manifest

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: pod-apparmor
  name: pod-apparmor
  annotations: 
    <http://container.apparmor.security.beta.kubernetes.io/pod-apparmor|container.apparmor.security.beta.kubernetes.io/pod-apparmor>: localhost/apparmor-file-deny
spec:
  containers:
  - image: ubuntu
    name: pod-apparmor
    command:
    - sh
    - -c
    - "echo 'Sleeping for an hour!!'' &amp;&amp; sleep 1h"

Associated apparmor profile is as below

root@kube-master:/home/vagrant# cat apparmor-file-deny 
profile apparmor-deny-write flags=(attach_disconnected){
    file,
    
    # Deny all file writes
    deny /** w,
}

Status of apparmor load

oot@kube-master:/home/vagrant# aa-status
apparmor module is loaded.
17 profiles are loaded.
17 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/lxc-start
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/tcpdump
   apparmor-deny-write
   docker-default
   lxc-container-default
   lxc-container-default-cgns
   lxc-container-default-with-mounting
   lxc-container-default-with-nesting
   man_filter
   man_groff
0 profiles are in complain mode.
14 processes have profiles defined.
14 processes are in enforce mode.
   docker-default (10956) 
   docker-default (10978) 
   docker-default (11016) 
   docker-default (11027) 
   docker-default (11102) 
   docker-default (11130) 
   docker-default (11209) 
   docker-default (11238) 
   docker-default (14345) 
   docker-default (14503) 
   docker-default (14724) 
   docker-default (14756) 
   docker-default (14835) 
   docker-default (15291) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

However, the pod is not starting and giving the below error

root@kube-master:/home/vagrant# kubectl get pods
NAME           READY   STATUS    RESTARTS   AGE
pod-apparmor   0/1     Blocked   0          5m10s

Please can you help?

I am using Ubuntu 18.04 and I have using single node kubernetes node started using kubeadm.

root@kube-master:/home/vagrant# cat /etc/os-release 
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="<https://www.ubuntu.com/>"
SUPPORT_URL="<https://help.ubuntu.com/>"
BUG_REPORT_URL="<https://bugs.launchpad.net/ubuntu/>"
PRIVACY_POLICY_URL="<https://www.ubuntu.com/legal/terms-and-policies/privacy-policy>"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
#2

unnivkn:
Hello… your annotaion is wrong

annotations: 
    <http://container.apparmor.security.beta.kubernetes.io/pod-apparmor|container.apparmor.security.beta.kubernetes.io/pod-apparmor>: localhost/apparmor-file-deny
#3

unnivkn:
It should be:

annotations: 
    <http://container.apparmor.security.beta.kubernetes.io/pod-apparmor|container.apparmor.security.beta.kubernetes.io/pod-apparmor>: localhost/apparmor-deny-write
#4

unnivkn:

image.png

#5

unnivkn:

image.png

#6

SidB:
Thanks unni. This has worked now