{"id":21392140,"url":"https://github.com/sysdiglabs/kube-apparmor-manager","last_synced_at":"2025-07-13T18:30:55.865Z","repository":{"id":41278683,"uuid":"252242744","full_name":"sysdiglabs/kube-apparmor-manager","owner":"sysdiglabs","description":"Manage AppAmormor profiles for Kubernetes cluster","archived":false,"fork":false,"pushed_at":"2023-10-11T21:03:45.000Z","size":156,"stargazers_count":39,"open_issues_count":6,"forks_count":5,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-11-16T01:23:06.356Z","etag":null,"topics":["apparmor","k8s","prevention","security"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sysdiglabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-04-01T17:29:48.000Z","updated_at":"2024-11-13T15:27:44.000Z","dependencies_parsed_at":"2024-06-19T11:16:25.636Z","dependency_job_id":"87391891-d2fc-4c48-b852-40d428914083","html_url":"https://github.com/sysdiglabs/kube-apparmor-manager","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fkube-apparmor-manager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fkube-apparmor-manager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fkube-apparmor-manager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fkube-apparmor-manager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sysdiglabs","download_url":"https://codeload.github.com/sysdiglabs/kube-apparmor-manager/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225908222,"owners_count":17543468,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apparmor","k8s","prevention","security"],"created_at":"2024-11-22T13:39:17.107Z","updated_at":"2024-11-22T13:39:17.812Z","avatar_url":"https://github.com/sysdiglabs.png","language":"Go","readme":"# kube-apparmor-manager\nManage AppArmor profiles for Kubernetes cluster\n\n## Behind the Scenes\n- `AppArmorProfile` CRD is created and `AppArmorProfile` objects are stored in etcd.\n- Actual AppArmor profiles will be created(updated) across all worker nodes through synchronizing with `AppArmorProfile` objects.\n\n### AppArmorProfile Object Explained\n```\napiVersion: crd.security.sysdig.com/v1alpha1\nkind: AppArmorProfile\nmetadata:\n  name: apparmorprofile-sample\nspec:\n  rules: |\n    # This is the default deny mode of AppArmor profile.\n    # List the allow rules here separated by new line character.\n    \n    # allow few read/write activities\n    allow /etc/* r,\n    allow /tmp/* rw,\n\n    # allow few commands execution\n    allow /bin/echo mrix,\n    allow /bin/sleep mrix,\n    allow /bin/cat mrix,\n  enforced: true # set profile to enforcement mode if true (complain mode if false)\n```\n\n## Install as a Krew Plugin\n\nFollow the [instructions](https://github.com/kubernetes-sigs/krew#installation) to install `krew`. Then run the following command:\n\n```\nkubectl krew install apparmor-manager\n```\n\nThe plugin will be available as `kubectl apparmor-manager`.\n\n## Configure Environment\n- `SSH_USERNAME`: SSH username to access worker nodes (default: admin)\n- `SSH_PERM_FILE`: SSH private key to access worker ndoes (default: $HOME/.ssh/id_rsa)\n- `SSH_PASSPHRASE`: SSH passphrase (only applicable if the private key is passphrase protected)\n\n## Usage\n```\nUsage:\n  kube-apparmor-manager [command]\n\nAvailable Commands:\n  enabled     Check AppArmor status on worker nodes\n  enforced    Check AppArmor profile enforcement status on worker nodes\n  help        Help about any command\n  init        Install CRD in the cluster and AppArmor services on worker nodes\n  sync        Synchronize the AppArmor profiles from the Kubernetes database (etcd) to worker nodes\n```\n\n## Example Output\n\n### AppArmor enabled status\n```\n$ ./kube-apparmor-manager enabled\n+-------------------------------+---------------+----------------+--------+------------------+\n|           NODE NAME           |  INTERNAL IP  |  EXTERNAL IP   |  ROLE  | APPARMOR ENABLED |\n+-------------------------------+---------------+----------------+--------+------------------+\n| ip-172-20-45-132.ec2.internal | 172.20.45.132 | 54.91.xxx.xx   | master | false            |\n| ip-172-20-54-2.ec2.internal   | 172.20.54.2   | 54.82.xx.xx    | node   | true             |\n| ip-172-20-58-7.ec2.internal   | 172.20.58.7   | 18.212.xxx.xxx | node   | true             |\n+-------------------------------+---------------+----------------+--------+------------------+\n```\n\n### AppArmor enforced profiles\n```\n./kube-apparmor-manager enforced\n+-------------------------------+--------+------------------------------------------------------+\n|           NODE NAME           |  ROLE  |                  ENFORCED PROFILES                   |\n+-------------------------------+--------+------------------------------------------------------+\n| ip-172-20-45-132.ec2.internal | master |                                                      |\n| ip-172-20-54-2.ec2.internal   | node   | /usr/sbin/ntpd,apparmorprofile-sample,docker-default |\n| ip-172-20-58-7.ec2.internal   | node   | /usr/sbin/ntpd,apparmorprofile-sample,docker-default |\n+-------------------------------+--------+------------------------------------------------------+\n```\n\n### Sync\n\nWhen ever there is change to `AppArmorProfile` object, run `sync` to synchronize across all the worker nodes.\n```\n$ ./kube-apparmor-manager sync\n**** Host: 54.82.xx.xx:22 ****\n** Execute command: echo 'profile apparmorprofile-sample flags=(attach_disconnected) {\n\tallow /etc/* r,\n\tallow /tmp/* rw,\n\tallow /bin/echo mrix,\n\tallow /bin/sleep mrix,\n\tallow /bin/cat mrix,\n}' \u003e /tmp/apparmorprofile-sample **\n\n** Execute command: mv /tmp/apparmorprofile-sample /etc/apparmor.d/apparmorprofile-sample **\n\n**** Host: 54.82.xx.xx:22 ****\n** Execute command: aa-enforce /etc/apparmor.d/apparmorprofile-sample **\nSetting /etc/apparmor.d/apparmorprofile-sample to enforce mode.\n\n**** Host: 18.212.xxx.xxx:22 ****\n** Execute command: echo 'profile apparmorprofile-sample flags=(attach_disconnected) {\n\tallow /etc/* r,\n\tallow /tmp/* rw,\n\tallow /bin/echo mrix,\n\tallow /bin/sleep mrix,\n\tallow /bin/cat mrix,\n}' \u003e /tmp/apparmorprofile-sample **\n\n** Execute command: mv /tmp/apparmorprofile-sample /etc/apparmor.d/apparmorprofile-sample **\n\n**** Host: 18.212.xxx.xxx:22 ****\n** Execute command: aa-enforce /etc/apparmor.d/apparmorprofile-sample **\nSetting /etc/apparmor.d/apparmorprofile-sample to enforce mode.\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Fkube-apparmor-manager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsysdiglabs%2Fkube-apparmor-manager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Fkube-apparmor-manager/lists"}