Task weight: 3%
Use context: kubectl config use-context workload-prod
Some containers need to run more secure and restricted. There is an existing AppArmor profile located at /opt/course/9/profile for this.
-
Install the AppArmor profile on Node cluster1-node1. Connect using ssh cluster1-node1.
-
Add label security=apparmor to the Node
-
Create a Deployment named apparmor in Namespace default with:
- One replica of image nginx:1.19.2
- NodeSelector for security=apparmor
- Single container named c1 with the AppArmor profile enabled
The Pod might not run properly with the profile enabled. Write the logs of the Pod into /opt/course/9/logs so another team can work on getting the application running.
译文
任务权重:3%。
使用环境: kubectl config use-context workload-prod
有些容器需要更安全地运行,并受到限制。在 /opt/course/9/profile 中有一个现有的AppArmor 配置文件,用于此。
-
在node cluster1-node1 上安装 AppArmor 配置文件。使用 ssh cluster1-node1 连接。
-
在节点上添加标签 security=apparmor
-
在名称空间 default 中创建一个名为 apparmor 的 Deployment ,其中包括。
- image 为 nginx:1.19.2
- NodeSelector 为 security=apparmor
- 启用AppArmor配置 单一容器名为 c1
启用配置文件后,Pod可能无法正常运行。将Pod的日志写入/opt/course/9/logs,这样另一个团队就可以努力让应用程序运行。
参考
https://kubernetes.io/docs/tutorials/clusters/apparmor
解答
1.
检查配置文件, 并把配置文件复制到要部署的节点
vim /opt/course/9/profile
# /opt/course/9/profile
#include <tunables/global>
profile very-secure flags=(attach_disconnected) {
#include <abstractions/base>
file,
# Deny all file writes.
deny /** w,
}
scp /opt/course/9/profile cluster1-node1:~/
登陆cluster1-node1 进行部署 apparmor配置文件
ssh cluster1-node1
apparmor_parser -q profile
apparmor_status | grep very-secure #检查是否正常
2.
检查node标签,并给node打标签
k label -h
k get node --show-labels
k label node cluster1-node1 security=apparmor
3.
创建一个deploy 配置文件并进行编辑
k create deploy apparmor --image=nginx:1.19.2 $do > 9_deploy.yaml
vim 9_deploy.yaml
# 9_deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: apparmor
name: apparmor
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: apparmor
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: apparmor
annotations: # 添加
container.apparmor.security.beta.kubernetes.io/c1: localhost/very-secure # 添加
spec:
nodeSelector: # 添加
security: apparmor # 添加
containers:
- image: nginx:1.19.2
name: c1 # 更改
resources: {}
创建deploy
k -f 9_deploy.yaml create
检查调度情况和日志,已调度到对应节点,
k get pod -owide | grep apparmor
k logs apparmor-85c65645dc-w852p
k logs apparmor-85c65645dc-jbch8 > /opt/course/9/logs