New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add AppArmor Support #8299 #18858
base: master
Are you sure you want to change the base?
Add AppArmor Support #8299 #18858
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: nnzv The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Welcome @nnzv! |
Hi @nnzv. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Can one of the admins verify this patch? |
I'm checking if the kernel image from Buildroot supports AppArmor. Following the docs, I tried
|
CC: @tstromberg |
I've gone through the entire image building process to test out the new environment, following the documentation closely. It instructs to use the target
Seems like the only thing left is to tweak the kernel, you know, enabling those configurations I mentioned earlier. Once that's done, the feature should be ready, although we still need to do some testing regarding the use of AppArmor at the Kubernetes level. I'll roughly leave the final commands I used and some evidence. Note that the last "cat" command results in
|
@nnzv do you mind sharing what use cases this would help with ? are there any issues that users are already asking for this ? |
User @acoulon99 requested this feature some time ago via an issue (#8299). For detailed information on its use cases, you can refer to the Kubernetes documentation at https://kubernetes.io/docs/tutorials/security/apparmor, particularly the example of a profile that blocks all file write operations on nodes. It's surprising that Minikube hasn't incorporated this feature, considering that Kubernetes has supported AppArmor since version |
thank you for sharing that thats a valid reason to add the support, in the past each time apparomor gets enabled it breaks a lot of other things... I curious how it would affect addons or other normal use cases |
ok-to-build-iso |
if we I think we should have a flag to like --apparomor so if users face issues they could disable it. |
You're welcome. Indeed, it does seem like a good idea. I wasn't aware that it was implemented long ago but disabled due to breaking changes. Regarding the new flag, I'm not sure how to dynamically ignore things by buildroot, specifically referring to the |
yes I think there was issues with github action running with apparmor (for KIC - docker/podman drivers) @nnzv the ISO build failed btw but not related to this PR (yet) the build failure is due to the changes in SHA by containernetworking/plugins#1038 that they unexpectedly built the binary and overwrote the previous ones for enable disabling it I am thinking if there should be a linux command to turn it on or off after the ISO is built. so if users start minikube --apparmor=true it would be enabled in the kernel module. that way we would not have a lot of new headaches for breaking people's existing workflows |
/ok-to-build-iso |
Yeah, sounds like a modprobe. So, the AppArmor config needs to be ...
if (*WantAppArmorSupport) {
sshtunnel("sudo modprobe apparmor")
// Additional logic can go here for further validation
}
... |
Hi @nnzv, we have updated your PR with the reference to newly built ISO. Pull the changes locally if you want to test with them or update your PR further. |
/ok-to-test |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
@@ -3,6 +3,7 @@ BR2_aarch64=y | |||
|
|||
# Toolchain | |||
BR2_TOOLCHAIN_BUILDROOT_WCHAR=y | |||
BR2_TOOLCHAIN_BUILDROOT_CXX=y |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
was enabling c++ libraries needed ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nnzv the ISO has been built succesfully, I think could you please test it manually to see if it is enabled ?
and also how about we explore setting somethig like BR2_TARGET_GENERIC_INITSCRIPT_APPARMOR=n to prevent AppArmor from starting automatically at boot and then if the user wants it they can enable it |
Is this config unique to Buildroot? Haven't found it. You can try apparmor_parser, but I haven't set up AppArmor in the kernel #18858 (comment). Let me commit that change. Sorry for the delay. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
@nnzv I didnt see any new change in your commit, if apparmor is added you should be able to verify it locally |
ok-to-build-iso |
Apparmor configured for aarch64 and x86_64 platforms, requiring activation via kernel parameters (e.g., via grub.cfg). Debug settings enabled for future apparmor issue resolution.
Added apparmor utilities and extra utilities to configurations for both aarch64 and x86_64 platforms. Apparmor utilities such as aa-status are helpful for exploring this LSM, while additional utilities require Perl and other dependencies, hopefully already enabled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After researching, I found that apparmor can't be activated as a kernel module. So, with this setup, the kernel won't use apparmor LSM by default. To enable it dynamically, we may need to tweak kernel parameters in the grub.cfg
. So, after setting up a node, we'd SSH in, adjust the grub.cfg
, or generate it with grub-mkconfig after editing /etc/default/grub
.
minikube ssh
# ...
vi /etc/default/grub
# ...
grep CMDLINE_LINUX /etc/default/grub
# GRUB_CMDLINE_LINUX="... apparmor=1 security=apparmor ..."
grub-mkconfig -o /boot/grub/grub.cfg
# ...
If for some reason Minikube doesn't handle the modification of the grub configuration, we can manually edit /boot/grub/grub.cfg
or its equivalent on the node to add the required kernel parameters. Afterward, a reboot is required for the kernel to recognize the new LSM. Of course, this explanation is simply to outline the process; ideally, automation could be achieved using a boolean flag variable like --apparmor
, as you mentioned.
No worries. It's committed now. Since I don't have my ThinkPad (the one I used for development) with me, I'll wait for Minikube's CI to finish building the ISO. Once that's done, I'll test the POC I mentioned earlier, specifically about enabling apparmor with kernel parameters. Enabling it by default (adding
|
This comment has been minimized.
This comment has been minimized.
Hi @nnzv, we have updated your PR with the reference to newly built ISO. Pull the changes locally if you want to test with them or update your PR further. |
kvm2 driver with docker runtime
Times for minikube ingress: 27.0s 27.5s 23.5s 24.0s 24.5s Times for minikube start: 49.4s 46.3s 46.1s 47.5s 50.4s docker driver with docker runtime
Times for minikube start: 21.1s 21.3s 21.9s 22.2s 21.5s Times for minikube ingress: 21.3s 21.8s 21.8s 21.8s 20.8s docker driver with containerd runtime
Times for minikube start: 20.3s 20.3s 23.0s 22.4s 20.4s Times for minikube ingress: 31.8s 47.8s 32.3s 31.3s 32.3s |
Hey @medyagh, could we give "ok-to-build-iso" another shot? I've checked the ISO created by the bot, but it seems my changes weren't taken into account (494ee1d and e109ed0). By the way, do you happen to know how we can tweak kernel parameters? I'm aware that each architecture in |
This comment has been minimized.
This comment has been minimized.
These are the flake rates of all failed tests.
To see the flake rates of all tests by environment, click here. |
Implemented AppArmor support for Minikube on both aarch64 and x86_64 architectures. Testing pending, relying on documentation for guidance. Excluded unnecessary extras:
BR2_PACKAGE_APPARMOR_PROFILES
: Community profiles deemed non-essential for Minikube users.