AppArmor Profile Authoring, Specification, and Additional Resources

Normal Pulled 7s kubelet Successfully pulled image "busybox:1.28" in 90.980331ms (91.005869ms including waiting) ``` An Event provides the error message with the reason, the specific wording is runtime-dependent: ``` Warning Failed 7s (x2 over 8s) kubelet Error: failed to get container spec opts: failed to generate apparmor spec opts: apparmor profile not found ``` ## Administration ### Setting up Nodes with profiles Kubernetes {{< skew currentVersion >}} does not provide any built-in mechanisms for loading AppArmor profiles onto Nodes. Profiles can be loaded through custom infrastructure or tools like the [Kubernetes Security Profiles Operator](https://github.com/kubernetes-sigs/security-profiles-operator). The scheduler is not aware of which profiles are loaded onto which Node, so the full set of profiles must be loaded onto every Node. An alternative approach is to add a Node label for each profile (or class of profiles) on the Node, and use a [node selector](/docs/concepts/scheduling-eviction/assign-pod-node/) to ensure the Pod is run on a Node with the required profile. ## Authoring Profiles Getting AppArmor profiles specified correctly can be a tricky business. Fortunately there are some tools to help with that: * `aa-genprof` and `aa-logprof` generate profile rules by monitoring an application's activity and logs, and admitting the actions it takes. Further instructions are provided by the [AppArmor documentation](https://gitlab.com/apparmor/apparmor/wikis/Profiling_with_tools). * [bane](https://github.com/jfrazelle/bane) is an AppArmor profile generator for Docker that uses a simplified profile language. To debug problems with AppArmor, you can check the system logs to see what, specifically, was denied. AppArmor logs verbose messages to `dmesg`, and errors can usually be found in the system logs or through `journalctl`. More information is provided in [AppArmor failures](https://gitlab.com/apparmor/apparmor/wikis/AppArmor_Failures). ## Specifying AppArmor confinement {{< caution >}} Prior to Kubernetes v1.30, AppArmor was specified through annotations. Use the documentation version selector to view the documentation with this deprecated API. {{< /caution >}} ### AppArmor profile within security context {#appArmorProfile} You can specify the `appArmorProfile` on either a container's `securityContext` or on a Pod's `securityContext`. If the profile is set at the pod level, it will be used as the default profile for all containers in the pod (including init, sidecar, and ephemeral containers). If both a pod & container AppArmor profile are set, the container's profile will be used. An AppArmor profile has 2 fields: `type` _(required)_ - indicates which kind of AppArmor profile will be applied. Valid options are: `Localhost` : a profile pre-loaded on the node (specified by `localhostProfile`). `RuntimeDefault` : the container runtime's default profile. `Unconfined` : no AppArmor enforcement. `localhostProfile` - The name of a profile loaded on the node that should be used. The profile must be preconfigured on the node to work. This option must be provided if and only if the `type` is `Localhost`. ## {{% heading "whatsnext" %}} Additional resources: * [Quick guide to the AppArmor profile language](https://gitlab.com/apparmor/apparmor/wikis/QuickProfileLanguage) * [AppArmor core policy reference](https://gitlab.com/apparmor/apparmor/wikis/Policy_Layout)

This section covers AppArmor profile authoring tools like `aa-genprof`, `aa-logprof`, and `bane`, as well as debugging methods using system logs. It explains how to specify AppArmor confinement using the `appArmorProfile` field within the security context of either a container or a Pod, discussing the types of profiles: `Localhost`, `RuntimeDefault`, and `Unconfined`. It concludes with links to additional resources such as the AppArmor profile language guide and core policy reference.