felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add missing volumes

Browse source
This commit is contained in:
Jeroen Rijken 2022-07-23 15:28:07 +02:00 committed by Alex
parent 07f1db2725
commit e6525e1f04
1 changed files with 5 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
apparmor.d/groups/virt/k3s
View file

@ -26,8 +26,7 @@ profile k3s @{exec_path} flags=(complain) {
capability sys_resource, capability sys_resource,
ptrace peer=@{profile_name}, ptrace peer=@{profile_name},
ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,unconfined}, ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,kubernetes-pause,mount,unconfined},
ptrace (read) peer=mount,
# k3s requires ptrace to all AppArmor profiles loaded in Kubernetes # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
# For simplification, let's assume for now all AppArmor profiles start with a predefined prefix. # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.
@ -42,8 +41,11 @@ profile k3s @{exec_path} flags=(complain) {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
mount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, mount -> /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/},
mount -> /var/lib/kubelet/pods/@{uuid}/volume-subpaths/{,**},
umount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/}, umount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/},
umount /var/lib/kubelet/pods/@{uuid}/volume-subpaths/{,**},
signal (send, receive) set=term, signal (send, receive) set=term,
signal (send) set=kill peer=unconfined, signal (send) set=kill peer=unconfined,