Skip to content

fix: improve k3s AppArmor profile with comprehensive permissions#26

Merged
sbaerlocher merged 2 commits intomainfrom
fix/improve-k3s-apparmor-profile
Jan 15, 2026
Merged

fix: improve k3s AppArmor profile with comprehensive permissions#26
sbaerlocher merged 2 commits intomainfrom
fix/improve-k3s-apparmor-profile

Conversation

@sbaerlocher
Copy link
Member

@sbaerlocher sbaerlocher commented Jan 15, 2026

Summary

Enhances the K3s AppArmor profile with comprehensive permissions required for full K3s functionality, and disables it by default due to complexity.

Changes

AppArmor Profile Enhancements

Additional Capabilities:

  • sys_chroot - Container namespace operations
  • sys_ptrace - Process tracing for containerd
  • dac_override - File access control override

Subprocess Execution:

  • /usr/sbin/xtables-nft-multi - iptables/nftables management
  • /usr/sbin/nft - nftables operations
  • /usr/sbin/modprobe - Kernel module loading

Expanded File Access:

  • /proc/sys/** - Full system parameter access (was /proc/sys/net/**)
  • /sys/** - Full sysfs access (was /sys/fs/cgroup/**)
  • /var/lib/rancher/k3s/**rwixk - Added k flag for file locking
  • /etc/rancher/node/** - Node configuration access
  • /run/** and /var/run/** - Runtime files

Process Information:

  • /proc/*/stat, /proc/*/cpuset, /proc/*/mountinfo, /proc/*/cgroup
  • /proc/sys/fs/pipe-max-size
  • /etc/machine-id
  • /sys/devices/virtual/dmi/id/product_uuid

Additional Permissions:

  • ptrace (read) - Required for containerd process management

Configuration Change

  • Changed k3s_apparmor_profile default from true to false
  • Added explanatory comment about complexity of AppArmor with K3s
  • Users can enable if needed for their specific security requirements

Rationale

K3s performs many low-level system operations that are difficult to whitelist correctly in AppArmor:

  • Dynamic container lifecycle management
  • Network configuration via iptables/nftables
  • Kernel module loading for networking and storage
  • Process tracing for container runtime
  • File locking for etcd and cluster state

The enhanced profile supports these operations, but is disabled by default to prevent operational issues. Users with strict security requirements can enable it after testing in their environment.

Test Plan

  • AppArmor profile syntax validated
  • Comprehensive permissions added for K3s operations
  • Default changed to disabled with explanatory comment
  • Manual testing: Enable profile and verify K3s functionality
  • Manual testing: Verify no AppArmor denials in audit logs

🤖 Generated with Claude Code

@sbaerlocher
fix: prevent unnecessary changes to k3s config directory permissions
b723ec9 
- Set k3s_config_dir to mode 0700 during initial creation in main.yml
- Remove redundant permission setting in security.yml
- Fixes idempotency issue where permissions were changed on every run

Previously, the directory was created with 0755 in main.yml and then
changed to 0700 in security.yml, causing the task to always report
'changed' status even when no actual changes were needed.
@sbaerlocher
fix: improve k3s AppArmor profile with comprehensive permissions
aee6222 
AppArmor Profile Enhancements:
- Add sys_chroot, sys_ptrace, dac_override capabilities for container operations
- Add xtables-nft-multi, nft, modprobe subprocess execution permissions
- Expand proc/sys access from net/** to ** for full system parameter access
- Add file locking (k flag) to k3s data directory for proper lock handling
- Add /etc/rancher/node/** access for node configuration
- Add detailed process and system info access (/proc/*/stat, cpuset, mountinfo, etc.)
- Add /run/** and /var/run/** access for runtime files
- Add ptrace (read) permission for containerd process management
- Add comprehensive comments for each permission section

Configuration Change:
- Disable AppArmor profile by default (k3s_apparmor_profile: false)
- K3s requires many system operations that are complex to whitelist correctly
- Users can enable with detailed profile if needed for their environment

This profile now supports full K3s functionality including:
- Container lifecycle management
- Network configuration (iptables/nftables)
- Kernel module loading
- Process tracing and monitoring
- File locking for etcd and other components
@sbaerlocher sbaerlocher merged commit d74fef5 into main Jan 15, 2026
16 checks passed
@sbaerlocher sbaerlocher mentioned this pull request Jan 15, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sbaerlocher