AppArmor support

[timstclair]

Description

Add AppArmor support to Kubernetes. Initial support should include the ability to specify an AppArmor profile for a container or pod in the API, and have that profile applied by the container runtime.

Progress Tracker

• Before Alpha
  • Design Approval
    • Design Proposal. This goes under docs/proposals. Doing a proposal as a PR allows line-by-line commenting from community, and creates the basis for later design documentation. Paste link to merged design proposal here: AppArmor design proposal kubernetes#29168
    • Initial API review (if API). Maybe same PR as design doc. AppArmor design proposal kubernetes#29168
      • Any code that changes an API (/pkg/apis/...)
      • cc @kubernetes/api
  • Write (code + tests + docs) then get them merged. Add AppArmor validation logic kubernetes#29812 Implement AppArmor Kubelet support kubernetes#30118 Validate AppArmor annotations in the API server kubernetes#30722 AppArmor PodSecurityPolicy support kubernetes#30183 Increase the AppArmor pod stop timeout to match the start timeout kubernetes#31314 Add AppArmor feature gate kubernetes#31473 [AppArmor] Promote AppArmor annotations to beta kubernetes#31471 Include security options in the container created event kubernetes#31557 AppArmor was flipped to beta, update feature gate kubernetes#31625 Append "AppArmor enabled" to the Node ready condition message kubernetes#31659
    • Code needs to be disabled by default. Verified by code OWNERS
      AppArmor is enabled by default, but gated by a feature-gate: Add AppArmor feature gate kubernetes#31473
    • Minimal testing
    • Minimal docs - AppArmor documentation website#1147
      • cc @kubernetes/docs on docs PR
      • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
      • New apis: Glossary Section Item in the docs repo: kubernetes/kubernetes.github.io
    • Update release notes
• Before Beta [AppArmor] Promote AppArmor annotations to beta kubernetes#31471
  • Testing is sufficient for beta
  • User docs with tutorials - AppArmor documentation website#1147
    • Updated walkthrough / tutorial in the docs repo: kubernetes/kubernetes.github.io
    • cc @kubernetes/docs on docs PR
    • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
  • Thorough API review
    • cc @kubernetes/api
• Before Stable (1.34)
  • KEPS
    • KEP-24: Promote Apparmor to GA #3298
    • KEP-24: Promote AppArmor to GA #4417
  • PRs
    • AppArmor fields API kubernetes#123435
    • Apparmor cleanup kubernetes#131989
  • Soak, load testing
  • detailed user docs and examples
    • cc @kubernetes/docs
    • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off

FEATURE_STATUS is used for feature tracking and to be updated by @kubernetes/feature-reviewers.
FEATURE_STATUS: BETA

More advice:

Design

• Once you get LGTM from a @kubernetes/feature-reviewers member, you can check this checkbox, and the reviewer will apply the "design-complete" label.

Coding

• Use as many PRs as you need. Write tests in the same or different PRs, as is convenient for you.
• As each PR is merged, add a comment to this issue referencing the PRs. Code goes in the http://github.com/kubernetes/kubernetes repository,
  and sometimes http://github.com/kubernetes/contrib, or other repos.
• When you are done with the code, apply the "code-complete" label.
• When the feature has user docs, please add a comment mentioning @kubernetes/feature-reviewers and they will
  check that the code matches the proposed feature and design, and that everything is done, and that there is adequate
  testing. They won't do detailed code review: that already happened when your PRs were reviewed.
  When that is done, you can check this box and the reviewer will apply the "code-complete" label.

Docs

• Write user docs and get them merged in.
• User docs go into http://github.com/kubernetes/kubernetes.github.io.
• When the feature has user docs, please add a comment mentioning @kubernetes/docs.
• When you get LGTM, you can check this checkbox, and the reviewer will apply the "docs-complete" label.

---

Remaining work, copied from the KEP (https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/24-apparmor/README.md#removing-annotation-support)

• Phase 1 (v1.30): AppArmor field support merged (AppArmor fields API kubernetes#123435)
  • Sync annotations & fields on Pod create (version skew strategy described above)
  • Warn on annotation use, if field isn't set
  • Kubelet copies static pod annotations to fields
• Phase 2 (v1.34):
  • API server stops copying fields to annotations
  • Warn on ALL annotation use
  • Risk: policy controllers that don't consider field values
• Phase 3 (v1.36): End state
  • API server stops copying annotations to fields
  • Kubelet stops copying annotations to fields for static pods
  • Validation that annotations & fields match persists indefinitely
  • Risk: workloads that haven't migrated

[timstclair]

Original issue here: kubernetes/kubernetes#22159

[janetkuo]

@timstclair it looks like the docs PR number is outdated. Please update the PR number and check the docs box once it's done

[timstclair]

Fixed. Thanks @janetkuo !

[timstclair]

Docs kubernetes/website#1147 - @kubernetes/docs