CKS 模拟真题 Killer.sh | Question 9 | AppArmor Profil

Task weight: 3%

Use context: kubectl config use-context workload-prod

Some containers need to run more secure and restricted. There is an existing AppArmor profile located at /opt/course/9/profile for this.

  1. Install the AppArmor profile on Node cluster1-node1. Connect using ssh cluster1-node1.

  2. Add label security=apparmor to the Node

  3. Create a Deployment named apparmor in Namespace default with:

    • One replica of image nginx:1.19.2
    • NodeSelector for security=apparmor
    • Single container named c1 with the AppArmor profile enabled

The Pod might not run properly with the profile enabled. Write the logs of the Pod into /opt/course/9/logs so another team can work on getting the application running.


译文

任务权重:3%。

使用环境: kubectl config use-context workload-prod

有些容器需要更安全地运行,并受到限制。在 /opt/course/9/profile 中有一个现有的AppArmor 配置文件,用于此。

  1. 在node cluster1-node1 上安装 AppArmor 配置文件。使用 ssh cluster1-node1 连接。

  2. 在节点上添加标签 security=apparmor

  3. 在名称空间 default 中创建一个名为 apparmor 的 Deployment ,其中包括。

    • image 为 nginx:1.19.2
    • NodeSelector 为 security=apparmor
    • 启用AppArmor配置 单一容器名为 c1

启用配置文件后,Pod可能无法正常运行。将Pod的日志写入/opt/course/9/logs,这样另一个团队就可以努力让应用程序运行。


参考

https://kubernetes.io/docs/tutorials/clusters/apparmor

解答
1.

检查配置文件, 并把配置文件复制到要部署的节点

vim /opt/course/9/profile
# /opt/course/9/profile 

#include <tunables/global>

profile very-secure flags=(attach_disconnected) {
  #include <abstractions/base>

  file,

  # Deny all file writes.
  deny /** w,
}
scp /opt/course/9/profile cluster1-node1:~/

登陆cluster1-node1 进行部署 apparmor配置文件

ssh cluster1-node1

apparmor_parser -q profile
apparmor_status | grep very-secure #检查是否正常
2.

检查node标签,并给node打标签

k label -h
k get node --show-labels
k label node cluster1-node1 security=apparmor
3.

创建一个deploy 配置文件并进行编辑

k create deploy apparmor --image=nginx:1.19.2 $do > 9_deploy.yaml

vim 9_deploy.yaml
# 9_deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app: apparmor
  name: apparmor
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: apparmor
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: apparmor
      annotations:                                                                 # 添加
        container.apparmor.security.beta.kubernetes.io/c1: localhost/very-secure   # 添加
    spec:
      nodeSelector:                    # 添加
        security: apparmor             # 添加
      containers:
      - image: nginx:1.19.2
        name: c1                       # 更改
        resources: {}

创建deploy

k -f 9_deploy.yaml create

检查调度情况和日志,已调度到对应节点,

k get pod -owide | grep apparmor
k logs apparmor-85c65645dc-w852p
k logs apparmor-85c65645dc-jbch8 > /opt/course/9/logs

file