Initial support for k3s

2025-01-29 22:35:15 +01:00 · 2022-07-18 17:56:52 +02:00 · 2022-07-18 17:56:52 +02:00 · 463da2a8f4
commit 463da2a8f4
parent 8fda216cc2
1 changed files with 177 additions and 0 deletions
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@ -0,0 +1,177 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{local/,}bin/k3s
+profile k3s @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/ssl_certs>
+  include <abstractions/nameservice-strict>
+  include <abstractions/disks-read>
+
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability net_admin,
+  capability syslog,
+  capability sys_admin,
+  capability sys_resource,
+
+  ptrace peer=@{profile_name},
+  ptrace (read) peer=unconfined,
+
+  network inet    dgram,
+  network inet6   dgram,
+  network inet    stream,
+  network inet6   stream,
+  network netlink raw,
+
+  mount  /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/},
+  umount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/},
+
+  signal (send, receive) set=term,
+
+  @{exec_path} mr,
+  /{usr/,}bin/kmod rPx,
+  /{usr/,}bin/mount rPx,
+  /{usr/,}bin/systemd-run rix,
+
+  # Does not seem to work.
+  # These are all symbolic links to xtables-nft-multi on Ubuntu 22.04
+  /{usr/,}{s,}bin/iptables rPx -> xtables-nft-multi,
+  /etc/alternatives/iptables rPx -> xtables-nft-multi,
+  /{usr/,}{s,}bin/iptables-legacy rPx -> xtables-nft-multi,
+  /{usr/,}{s,}bin/xtables-nft-multi rPx,
+
+  /{usr/,}{s,}bin/iptables-save rPx -> xtables-nft-multi,
+  /etc/alternatives/iptables-save rPx -> xtables-nft-multi,
+  /{usr/,}{s,}bin/iptables-legacy-save rPx -> xtables-nft-multi,
+  /{usr/,}{s,}bin/xtables-nft-multi rPx,
+
+  /{usr/,}{s,}bin/iptables-restore rPx -> xtables-nft-multi,
+  /etc/alternatives/iptables-restore rPx -> xtables-nft-multi,
+  /{usr/,}{s,}bin/iptables-legacy-restore rPx -> xtables-nft-multi,
+  /{usr/,}{s,}bin/xtables-nft-multi rPx,
+
+  /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
+  /var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix,
+
+  /usr/libexec/kubernetes/kubelet-plugins/volume/exec/{,**} r,
+  /usr/share/mime/globs2 r,
+
+  /etc/machine-id            r,
+  /etc/rancher/k3s/{,**}     r,
+  /etc/rancher/k3s/k3s.yaml  rw,
+  /etc/rancher/node/password r,
+
+  /var/lib/rancher/k3s/{,**}        r,
+  /var/lib/rancher/k3s/agent/**     rw,
+  /var/lib/rancher/k3s/server/**    rw,
+  /var/lib/rancher/k3s/server/db/** rwk,
+
+  # k3s want's to basically manage all directories and create some specific files.
+  /var/lib/kubelet/{,**/} rw,
+  /var/lib/kubelet/{cpu_manager_state,memory_manager_state} r,
+  /var/lib/kubelet/device-plugins/{,DEPRECATION,kubelet.sock} rw,
+  /var/lib/kubelet/pod-resources/{kubelet.sock,[0-9]*} rw,
+  /var/lib/kubelet/pods/@{uuid}/containers/*/[0-9a-f]* rw,
+  /var/lib/kubelet/pods/@{uuid}/etc-hosts rw,
+  /var/lib/kubelet/pods/@{uuid}/plugins/kubernetes.io~*/{,**} rw,
+  /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**} rw,
+  /var/lib/kubelet/pods/@{uuid}/**/ca.crt rw,
+  /var/lib/kubelet/pods/@{uuid}/**/namespace rw,
+  /var/lib/kubelet/pods/@{uuid}/**/token rw,
+
+  /var/log/containers/         r,
+  /var/log/containers/**       rw,
+  /var/log/rancher/{,**}       r,
+  /var/log/kubelet/{,**}       r,
+  /var/log/kubernetes/{,**}    r,
+  /var/log/kubernetes/audit/** rw,
+  /var/log/pods/{,**}          r,
+  /var/log/pods/{,**/}         rw,
+  /var/log/pods/**/[0-9]*.log  rw,
+
+  @{HOME}/.kube/cache/discovery/{,**}         rw,
+  @{HOME}/.kube/cache/http/[0-9a-z]*          rw,
+  @{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw,
+
+  @{run}/containerd/containerd.sock rw,
+  @{run}/systemd/notify w,
+  @{run}/systemd/private rw,
+  @{run}/systemd/resolve/resolv.conf r,
+  @{run}/nodeagent/ rw,
+  @{run}/xtables.lock rwk,
+
+  /var/tmp/etilqs_* rw,
+
+  owner @{PROC}/@{pids}/cgroup              r,
+  owner @{PROC}/@{pids}/cpuset              r,
+  owner @{PROC}/@{pids}/mounts              r,
+  owner @{PROC}/@{pids}/mountinfo           r,
+        @{PROC}/@{pids}/net/dev             r,
+        @{PROC}/@{pids}/net/ip_tables_names r,
+  owner @{PROC}/@{pids}/net/ipv6_route      r,
+  owner @{PROC}/@{pids}/net/route           r,
+  owner @{PROC}/@{pids}/oom_score_adj       rw,
+  owner @{PROC}/@{pids}/stat                r,
+  owner @{PROC}/@{pids}/uid_map             r,
+  
+        @{PROC}/diskstats                   r,
+        @{PROC}/modules                     r,
+        @{PROC}/sys/fs/pipe-max-size        r,
+        @{PROC}/sys/net/core/somaxconn      r,
+        @{PROC}/sys/net/ipv4/conf/all/*     rw,
+        @{PROC}/sys/net/ipv4/conf/default/* rw,
+        @{PROC}/sys/net/bridge/bridge-nf-call-iptables r,
+        @{PROC}/sys/net/netfilter/*         rw,
+        @{PROC}/sys/kernel/keys/*           r,
+        @{PROC}/sys/kernel/panic            rw,
+        @{PROC}/sys/kernel/panic_on_oom     rw,
+        @{PROC}/sys/kernel/panic_on_oops    rw,
+        @{PROC}/sys/kernel/pid_max          r,
+        @{PROC}/sys/kernel/osrelease        r,
+        @{PROC}/sys/vm/overcommit_memory    rw,
+        @{PROC}/sys/vm/panic_on_oom         r,
+
+  @{sys}/class/net/ r,
+  
+  @{sys}/devices/pci[0-9]*/**/net/*/{address,mtu,speed} r,
+  @{sys}/devices/system/edac/mc/ r,
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node[0-9]*/ r,
+  @{sys}/devices/system/node/node[0-9]*/meminfo r,
+  @{sys}/devices/system/node/node[0-9]*/hugepages/ r,
+  @{sys}/devices/system/node/node[0-9]*/hugepages/hugepages-*/nr_hugepages r,
+  @{sys}/devices/system/cpu/cpu[0-9]*/topology/core_id r,
+  @{sys}/devices/system/cpu/cpu[0-9]*/topology/physical_package_id r,
+  @{sys}/devices/system/cpu/cpu[0-9]*/cache/ r,
+  @{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/{id,size,level,type,shared_cpu_map} r,
+  @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r,
+  @{sys}/devices/virtual/dmi/id/product_uuid r,
+
+  @{sys}/fs/cgroup/{,*,*/} r,
+  @{sys}/fs/cgroup/cgroup.subtree_control rw,
+  @{sys}/fs/cgroup/kubepods/{,**} rw,
+  @{sys}/fs/cgroup/system.slice/{,**/} r,
+  @{sys}/fs/cgroup/system.slice/k3s.service/* r,
+  @{sys}/fs/cgroup/user.slice/ r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/ r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user-runtime-dir@@{uid}.service/ r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**/} r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-[0-9]*.scope/{,**/} r,
+
+  @{sys}/kernel/mm/hugepages/ r,
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r,
+
+  @{sys}/module/apparmor/parameters/enabled r,
+
+  /dev/kmsg r,
+
+  include if exists <local/k3s>
+}