How to disable AppArmor in VKS Clusters
search cancel

How to disable AppArmor in VKS Clusters

book

Article ID: 439623

calendar_today

Updated On:

Products

Tanzu Kubernetes Runtime VMware vSphere Kubernetes Service

Issue/Introduction

This knowledge base article documents how to disable AppArmor in VKS Cluster nodes.

Environment

VKS Cluster on VKR 1.35.2 and lower

Cause

AppArmor may need to be disabled in the event of bugs found in AppArmor or AppArmor profiles.

Resolution

  1. Identify the application/pods encountering issues with AppArmor.

  2. Isolate these application/pods to a dedicated, separate nodepool.

  3. AppArmor can be disabled with either of the following methods (a or b):

    1. Update the AppArmor securityContext for the affected applications:
      1. Connect into the affected VKS cluster context

      2. Edit the securityContext for the affected applications:
        securityContext:
    appArmorProfile:
        type: Unconfined

         

    2. Deploy the attached apparmor daemonset to disable AppArmor on the isolated nodepool:
      NOTE: This is for Ubuntu nodes only.
      For airgapped environments, point containers.image to an appropriate location for the pause image accordingly.

      1. Connect into the affected VKS cluster context

      2. Ensure that the isolated nodepool in the previous step has the label "apparmor-teardown-once=true"
        See the below for an example. Replace the name of the nodepool and replica count accordingly:
        workers:
      machineDeployments:
      - class: node-pool
        name: <nodepool name>
        replicas: #
        variables:
          overrides:
          - name: node
            value:
              labels:
                apparmor-teardown-once: true

         

      3. Review and update the attached apparmor daemonset YAML
        Make sure to edit the YAML so that the daemonset pods only run on the nodes where AppArmor should be disabled:
        • Check if the spec.tolerations need to be changed.
        • Add node.affinity as necessary.

      4. Apply the updated apparmor daemonset YAML from the previous step.
        kubectl apply -f apparmor-daemonset.yaml

        This YAML will create the following objects:

        • Namespace: kube-apparmor-teardown
        • Daemonset: apparmor-teardown-once
        • Pods: apparmor-teardown-once


      5. Confirm that the daemonset's apparmor-teardown-once pods reach Running state on all intended nodes:
        kubectl get pods -n kube-apparmor-teardown -o wide

        If there are any issues deploying the apparmor-teardown-once pods, describe the daemonset and its replicasets or pods accordingly.

Attachments

apparmor-daemonset.yaml get_app
Powered by Wolken Software