mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 07:54:17 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add missing volumes

Browse Source
This commit is contained in:
Jeroen Rijken 2022-07-23 15:28:07 +02:00 committed by Alex
parent 07f1db2725
commit e6525e1f04
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
apparmor.d/groups/virt/k3s
View File

@ -26,8 +26,7 @@ profile k3s @{exec_path} flags=(complain) {
capability sys_resource,
ptrace peer=@{profile_name},
ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,unconfined},
ptrace (read) peer=mount,
ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,kubernetes-pause,mount,unconfined},
# k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
# For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.
@ -42,8 +41,11 @@ profile k3s @{exec_path} flags=(complain) {
network inet6 stream,
network netlink raw,
mount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/},
mount -> /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/},
mount -> /var/lib/kubelet/pods/@{uuid}/volume-subpaths/{,**},
umount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/},
umount /var/lib/kubelet/pods/@{uuid}/volume-subpaths/{,**},
signal (send, receive) set=term,
signal (send) set=kill peer=unconfined,