kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

trying to fix line breaks in raw blocks in list (#4997) 

Lets see on deploy preview if adding block type helps.
pull/5021/head
Vladimir Rutsky 2017-08-17 22:42:13 +02:00 committed by Steve Perry
parent cf8b1bc6f7
commit fd1704e2c9
1 changed files with 32 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
docs/tutorials/clusters/apparmor.md
View File

@ -44,59 +44,59 @@ Make sure:
will **silently ignore** any AppArmor settings that are provided. To ensure that your Pods are will **silently ignore** any AppArmor settings that are provided. To ensure that your Pods are
receiving the expected protections, it is important to verify the Kubelet version of your nodes: receiving the expected protections, it is important to verify the Kubelet version of your nodes:
``` ```shell
$ kubectl get nodes -o=jsonpath=$'{range .items[*]}{@.metadata.name}: {@.status.nodeInfo.kubeletVersion}\n{end}' $ kubectl get nodes -o=jsonpath=$'{range .items[*]}{@.metadata.name}: {@.status.nodeInfo.kubeletVersion}\n{end}'
gke-test-default-pool-239f5d02-gyn2: v1.4.0 gke-test-default-pool-239f5d02-gyn2: v1.4.0
gke-test-default-pool-239f5d02-x1kf: v1.4.0 gke-test-default-pool-239f5d02-x1kf: v1.4.0
gke-test-default-pool-239f5d02-xwux: v1.4.0 gke-test-default-pool-239f5d02-xwux: v1.4.0
``` ```
2. AppArmor kernel module is enabled -- For the Linux kernel to enforce an AppArmor profile, the 2. AppArmor kernel module is enabled -- For the Linux kernel to enforce an AppArmor profile, the
AppArmor kernel module must be installed and enabled. Several distributions enable the module by AppArmor kernel module must be installed and enabled. Several distributions enable the module by
default, such as Ubuntu and SUSE, and many others provide optional support. To check whether the default, such as Ubuntu and SUSE, and many others provide optional support. To check whether the
module is enabled, check the `/sys/module/apparmor/parameters/enabled` file: module is enabled, check the `/sys/module/apparmor/parameters/enabled` file:
``` ```shell
$ cat /sys/module/apparmor/parameters/enabled $ cat /sys/module/apparmor/parameters/enabled
Y Y
``` ```
If the Kubelet contains AppArmor support (>= v1.4), it will refuse to run a Pod with AppArmor If the Kubelet contains AppArmor support (>= v1.4), it will refuse to run a Pod with AppArmor
options if the kernel module is not enabled. options if the kernel module is not enabled.
**Note:** Ubuntu carries many AppArmor patches that have not been merged into the upstream Linux **Note:** Ubuntu carries many AppArmor patches that have not been merged into the upstream Linux
kernel, including patches that add additional hooks and features. Kubernetes has only been kernel, including patches that add additional hooks and features. Kubernetes has only been
tested with the upstream version, and does not promise support for other features. tested with the upstream version, and does not promise support for other features.
3. Container runtime is Docker -- Currently the only Kubernetes-supported container runtime that 3. Container runtime is Docker -- Currently the only Kubernetes-supported container runtime that
also supports AppArmor is Docker. As more runtimes add AppArmor support, the options will be also supports AppArmor is Docker. As more runtimes add AppArmor support, the options will be
expanded. You can verify that your nodes are running docker with: expanded. You can verify that your nodes are running docker with:
``` ```shell
$ kubectl get nodes -o=jsonpath=$'{range .items[*]}{@.metadata.name}: {@.status.nodeInfo.containerRuntimeVersion}\n{end}' $ kubectl get nodes -o=jsonpath=$'{range .items[*]}{@.metadata.name}: {@.status.nodeInfo.containerRuntimeVersion}\n{end}'
gke-test-default-pool-239f5d02-gyn2: docker://1.11.2 gke-test-default-pool-239f5d02-gyn2: docker://1.11.2
gke-test-default-pool-239f5d02-x1kf: docker://1.11.2 gke-test-default-pool-239f5d02-x1kf: docker://1.11.2
gke-test-default-pool-239f5d02-xwux: docker://1.11.2 gke-test-default-pool-239f5d02-xwux: docker://1.11.2
``` ```
If the Kubelet contains AppArmor support (>= v1.4), it will refuse to run a Pod with AppArmor If the Kubelet contains AppArmor support (>= v1.4), it will refuse to run a Pod with AppArmor
options if the runtime is not Docker. options if the runtime is not Docker.
4. Profile is loaded -- AppArmor is applied to a Pod by specifying an AppArmor profile that each 4. Profile is loaded -- AppArmor is applied to a Pod by specifying an AppArmor profile that each
container should be run with. If any of the specified profiles is not already loaded in the container should be run with. If any of the specified profiles is not already loaded in the
kernel, the Kubelet (>= v1.4) will reject the Pod. You can view which profiles are loaded on a kernel, the Kubelet (>= v1.4) will reject the Pod. You can view which profiles are loaded on a
node by checking the `/sys/kernel/security/apparmor/profiles` file. For example: node by checking the `/sys/kernel/security/apparmor/profiles` file. For example:
``` ```shell
$ ssh gke-test-default-pool-239f5d02-gyn2 "sudo cat /sys/kernel/security/apparmor/profiles | sort" $ ssh gke-test-default-pool-239f5d02-gyn2 "sudo cat /sys/kernel/security/apparmor/profiles | sort"
apparmor-test-deny-write (enforce) apparmor-test-deny-write (enforce)
apparmor-test-audit-write (enforce) apparmor-test-audit-write (enforce)
docker-default (enforce) docker-default (enforce)
k8s-nginx (enforce) k8s-nginx (enforce)
``` ```
For more details on loading profiles on nodes, see For more details on loading profiles on nodes, see
[Setting up nodes with profiles](#setting-up-nodes-with-profiles). [Setting up nodes with profiles](#setting-up-nodes-with-profiles).
As long as the Kubelet version includes AppArmor support (>= v1.4), the Kubelet will reject a Pod As long as the Kubelet version includes AppArmor support (>= v1.4), the Kubelet will reject a Pod
with AppArmor options if any of the prerequisites are not met. You can also verify AppArmor support with AppArmor options if any of the prerequisites are not met. You can also verify AppArmor support