AppArmor Security Profiles

Objectives

Learn how to use AppArmor to implement mandatory access control in Kubernetes pods. AppArmor is a Linux kernel security module that confines programs to a limited set of resources through security profiles.

Prerequisites

Understanding AppArmor

AppArmor is a security mechanism that provides path-based access control:

  • Default behavior: Containers have unrestricted access to file system
  • Security risk: Malicious code can access sensitive files and directories
  • AppArmor solution: Define profiles that restrict file and network access
  • Kubernetes integration: Apply AppArmor profiles to pods via annotations

Q1: What are the main AppArmor profile modes?

Answer
Mode Behavior When to Use
enforce Violations are blocked and logged Production environments
complain Violations are logged but allowed Profile development and testing
unconfined No restrictions applied Debugging or disabled security

Official Kubernetes AppArmor Tutorial

For practical hands-on experience with AppArmor profiles, use the official Kubernetes tutorial:

🔗 Official AppArmor Tutorial

This tutorial covers:

  • Creating AppArmor profiles
  • Loading profiles on nodes
  • Applying profiles to pods via annotations
  • Testing profile enforcement
  • Troubleshooting common issues

Troubleshooting

Common Issues

  1. Profile not loaded: Ensure profile exists on all nodes
  2. Pod creation fails: Check profile annotation syntax
  3. Permission denied: Verify profile allows necessary operations

Debugging Steps

  • Check AppArmor status on nodes
  • Review pod events for AppArmor errors
  • Monitor AppArmor denials in system logs
  • Validate profile syntax

Security Best Practices

  1. Start with complain mode: Test profiles before enforcing
  2. Minimal access: Grant only necessary file and network permissions
  3. Profile versioning: Version control your custom profiles
  4. Monitor violations: Log and alert on AppArmor denials
  5. Automated distribution: Use DaemonSets or configuration management
  6. Regular updates: Keep profiles updated with application changes

Integration with Other Security Features

Combine with Seccomp

AppArmor works well with other security mechanisms:

  • Seccomp for system call filtering
  • Pod Security Standards for baseline security
  • Network policies for traffic control
  • Resource quotas for resource limits

Summary

You’ve learned:

  • ✅ How to apply AppArmor profiles to Kubernetes pods
  • ✅ Profile modes and their use cases
  • ✅ Integration with other security mechanisms
  • ✅ Troubleshooting techniques

AppArmor provides fine-grained access control for file system and network resources, significantly improving container security posture.

Next Steps

  • Create application-specific AppArmor profiles
  • Implement automated profile distribution
  • Monitor AppArmor violations in production
  • Combine with seccomp and other security features
  • Consider using profile generation tools for complex applications