Merge c5ff67a into 2689285

.github/workflows/build-app.yml

@@ -2,7 +2,7 @@ name: "1. Create app"
 
 on:
   push:
-    branches: [main,dev,feature/*]
+    branches: [dev,feature/*]
     paths:
       - "go/src/app/**.go"
       - Dockerfile

README.md

@@ -7,9 +7,11 @@
 - [Kapparmor](#kapparmor)
   - [Features and constraints](#features-and-constraints)
   - [Install](#install)
+  - [Known limitations](#known-limitations)
   - [Testing](#testing)
     - [How to initialize this project](#how-to-initialize-this-project)
     - [Test the app locally](#test-the-app-locally)
+    - [Test on the Kubernetes cluster](#test-on-the-kubernetes-cluster)
 - [External useful links](#external-useful-links)
 - -----
 Apparmor-loader project to deploy profiles through a kubernetes daemonset.  
@@ -41,9 +43,14 @@ This work was inspired by [kubernetes/apparmor-loader](https://github.com/kubern
 You can install the helm chart like this
 ```sh
 helm repo add tuxerrante https://tuxerrante.github.io/kapparmor
-helm upgrade kapparmor --install --atomic --timeout 30s --debug --set image.tag=dev tuxerrante/kapparmor
+helm upgrade kapparmor --install --atomic --timeout 100s --debug --set image.tag=dev tuxerrante/kapparmor
 
 ```
+
+## Known limitations
+- Profiles names are checked on the first line, so if there is some include before that would fail
+- There could be issues if you start the daemonsets on "dirty" nodes, where some old custom profiles were left after stopping or uninstalling Kapparmor. E.g: you stop the pods and then redeploy the app with an empty profiles configmap without removing the previous custom profiles: Kapparmor will try to remove the old profiles but it could fail since there is no definition of them anymore.
+
 ## Testing
 [Set up a Microk8s environment](./docs/microk8s.md).
 
@@ -90,6 +97,23 @@ docker build --quiet -t test-kapparmor --build-arg POLL_TIME=60 --build-arg PROF
 
 To test Helm chart installation in a MicroK8s cluster, follow docs/microk8s.md instructions if you don't have any local cluster.
 
+### Test on the Kubernetes cluster
+You can start a binary check inside the pod shell like this:
+```sh
+kapparmor_pod=$(kubectl get pods -l app.kubernetes.io/name=kapparmor --no-headers |grep Running |head -n1 |cut -d' ' -f1)
+kubectl exec -it $kapparmor_pod -- cat /proc/1/attr/current
+kubectl exec -it $kapparmor_pod -- cat /sys/module/apparmor/parameters/enabled
+kubectl exec -it $kapparmor_pod -- cat /sys/kernel/security/apparmor/profiles |sort
+
+# --- https://github.com/genuinetools/amicontained/releases
+export AMICONTAINED_SHA256="d8c49e2cf44ee9668219acd092ed961fc1aa420a6e036e0822d7a31033776c9f"
+curl -fSL "https://github.com/genuinetools/amicontained/releases/download/v0.4.9/amicontained-linux-amd64" -o "/usr/local/bin/amicontained" \
+	&& echo "${AMICONTAINED_SHA256}  /usr/local/bin/amicontained" | sha256sum -c - \
+	&& chmod a+x "/usr/local/bin/amicontained"
+amicontained -h
+
+
+```
 
 
 # External useful links

charts/kapparmor/Chart.yaml

@@ -5,7 +5,7 @@ type: application
 home: https://artifacthub.io
 kubeVersion: ">= 1.23.0-0"
 
-version: "0.1.1"
+version: "0.1.2"
 appVersion: "0.1.1"
 
 keywords:

charts/kapparmor/templates/cm-profiles.yaml

@@ -2,5 +2,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: kapparmor-profiles
+  namespace: {{ .Release.Namespace }}
 data:
 {{ (.Files.Glob "profiles/*").AsConfig | indent 2 }}

charts/kapparmor/templates/cm-settings.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: kapparmor-settings
+  namespace: {{ .Release.Namespace }}
 data:
   PROFILES_DIR: "{{ .Values.app.profiles_dir }}"
   POLL_TIME: "{{ .Values.app.poll_time }}"

charts/kapparmor/templates/daemonset.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: {{ include "kapparmor.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "kapparmor.labels" . | nindent 4 }}
 spec:
@@ -48,7 +49,7 @@ spec:
               mountPath: /sys/kernel/security
             # Folder used by the app to store custom profiles definitions
             - name: etc-apparmor
-              mountPath: /etc/apparmor.d/
+              mountPath: /etc/apparmor.d/custom
 
           env:
             - name: PROFILES_DIR
@@ -69,9 +70,11 @@ spec:
         - name: profiles-kernel-path
           hostPath:
             path: /sys/kernel/security
+            type: DirectoryOrCreate
         - name: etc-apparmor
           hostPath:
-            path: /etc/apparmor.d/
+            path: /etc/apparmor.d/custom
+            type: DirectoryOrCreate
 
       {{- with .Values.nodeSelector }}
       nodeSelector:

charts/kapparmor/templates/service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "kapparmor.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "kapparmor.labels" . | nindent 4 }}
 spec:

codecov.yml

@@ -0,0 +1,25 @@
+# https://docs.codecov.com/docs/codecov-yaml
+coverage:
+  # Display coverage percentage with 1 decimal point (XX.X%).
+  precision: 1
+  round: down
+  # The value range where you want the value to be green
+  range: "50..100"
+  status:
+    project:
+      default:
+        # Do not use coverage drop as a reason to mark the CI check red
+        threshold: "100%"
+    # Do not fail Github checks for patches with low coverage: treat them as informational.
+    # https://docs.codecov.com/docs/common-recipe-list#set-non-blocking-status-checks
+    patch:
+      default:
+        informational: true
+
+fixes:
+  - "github.com/tuxerrante/kapparmor/::github.com/tuxerrante/kapparmor/go/src/app/" 
+
+# Disable codecov annotations in Github files changed tab in PRs.
+# https://docs.codecov.com/docs/github-checks#disabling-github-checks-patch-annotations-via-yaml
+github_checks:
+  annotations: false

docs/microk8s.md

@@ -138,6 +138,8 @@ kubectl exec -ti $POD_NAME -- sh
 
 
 # Run a new pod for extra testing
+kubectl debug node/XXX -it --image=busybox
+# or
 kubectl run ubuntu --rm --privileged -v /lib/modules/:/lib/modules/:ro 
 ```
 

go/src/app/main.go

@@ -123,7 +123,7 @@ func loadNewProfiles() ([]string, error) {
 
 	// Execute apparmor_parser --replace --verbose filteredNewProfiles
 	log.Println("============================================================")
-	log.Println("> Apparmor replace and apply new profiles..")
+	log.Println("> Apparmor REPLACE and apply new profiles..")
 	for _, profilePath := range newProfilesToApply {
 		err := loadProfile(profilePath)
 		if err != nil {

test/pod_custom-deny-write.yml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: ubuntu-custom-profile
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/ubuntu: "localhost/custom.deny-write-outside-home"
+
+spec:
+  containers:
+  - name: ubuntu
+    image: ubuntu
+    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
+    resources: {}
+    securityContext:
+      runAsUser: 0
+  restartPolicy: Always

test/pod_unconfined.yml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: ubuntu-unconfined
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/ubuntu-test: unconfined
+
+spec:
+  containers:
+  - name: ubuntu-test
+    image: ubuntu
+    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
+    resources: {}
+    securityContext:
+      runAsUser: 0
+  restartPolicy: Always