Hi all, has anyone got AppArmor working on Rancher 2.x (or even 1.6 for that matter) ?
As I understand, the following kubectl get nodes -o=jsonpath=$'{range .items[*]}{@.metadata.name}: {.status.conditions[?(@.reason=="KubeletReady")].message}\n{end}' ought to show “Apparmor enabled” next to every node; but it’s empty.
Here’s what our sleuthing has turned up so far:
- We have AppArmor enabled and working on the host OS, etc.
- AppArmor Feature gate is not explicitly disabled, so we have to assume it’s enabled
- Neither kube-apiserver nor kubelet logs show anything related to AppArmor being disabled (https://github.com/rancher/kubernetes/blob/v1.11.3-rancher/pkg/security/apparmor/validate.go has some nice errors, not sure if they would be logged though)
- We noticed that
/sys/kernel/security/is mounted in the kubelet containers, but not on the apiserver container - The binary /sbin/apparmor_parser is not present in the kubelet, although it appears that
func IsAppArmorEnabled()requires it to be! (we have not yet tested restarting the kubelet after copying the binary in) - AppArmor on a newly deployed non-Rancher k8s cluster works