AppArmor and Rancher 2.x?

Hi all, has anyone got AppArmor working on Rancher 2.x (or even 1.6 for that matter) ?

As I understand, the following kubectl get nodes -o=jsonpath=$'{range .items[*]}{}: {.status.conditions[?(@.reason=="KubeletReady")].message}\n{end}' ought to show “Apparmor enabled” next to every node; but it’s empty.

Here’s what our sleuthing has turned up so far:

  1. We have AppArmor enabled and working on the host OS, etc.
  2. AppArmor Feature gate is not explicitly disabled, so we have to assume it’s enabled
  3. Neither kube-apiserver nor kubelet logs show anything related to AppArmor being disabled ( has some nice errors, not sure if they would be logged though)
  4. We noticed that /sys/kernel/security/ is mounted in the kubelet containers, but not on the apiserver container
  5. The binary /sbin/apparmor_parser is not present in the kubelet, although it appears that func IsAppArmorEnabled() requires it to be! (we have not yet tested restarting the kubelet after copying the binary in)
  6. AppArmor on a newly deployed non-Rancher k8s cluster works