preparing for PR

CHANGELOG.md

@@ -7,7 +7,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-1. **Unable to replace profiles**. Permission denied, app seems still confined.
 1. Go unit tests  
     - [ ] Create a new profile
     - [ ] Update an existing profile
@@ -19,9 +18,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 1. Add tests for all the main functions
 1. Add test for checking current confinement state of the app
 1. Test on multiple nodes cluster
-1. helm diff in CD
 
-## [0.0.6]() - 
+
+## [0.1.0]() - 2023-02-01
+### Fixed
+1. "Unable to replace profiles. Permission denied, app seems still confined." - Switched to ubuntu image
+1. No need for SYS_ADMIN capabilities 
+1. Ignore hidden and system folders while scanning for profiles
+
+### Added
+1. Instructions to test the app in a virtual machine directly running the go app or in microk8s pushing the built container to the local registry
+
+
+## 0.0.6 - 2023-01-26
 
 ### Added 
 Helm:

README.md

@@ -11,10 +11,14 @@
 - -----
 Apparmor-loader project to deploy profiles through a kubernetes daemonset.  
 
-This work was inspired by [kubernetes/apparmor-loader](https://github.com/kubernetes/kubernetes/tree/master/test/images/apparmor-loader).
 
 ![architecture](./docs/kapparmor-architecture.png)
 
+This app provide dynamic loading and unloading of AppArmor profiles to a Kubernetes cluster through a configmap.  
+The app doesn't need an operator and it will be managed by a DaemonSet filtering the linux nodes to schedule the app pod.  
+The custom profiles deployed in the configmap will be copied in a directory (`/etc/apparmor.d/custom` by default) since apparmor_parser needs the profiles definitions also to remove them. Once you will deploy a configmap with different profiles, Kapparmor will notice the missing ones and it will remove them from the apparmor cache and from the node directory.  
+If you modify only the content of a profile leaving the same name, Kapparmor should notice it anyway since a byte comparison is done when configmap profiles names and local profiles names match.
+
 1. The CD pipeline will
 	- deploy a configmap in the security namespace containing all the profiles versioned in the current project
 	- it will apply a daemonset on the linux nodes
@@ -25,6 +29,7 @@ This work was inspired by [kubernetes/apparmor-loader](https://github.com/kubern
 
 You can view which profiles are loaded on a node by checking the /sys/kernel/security/apparmor/profiles, so its parent will need to be mounted in the pod.
 
+This work was inspired by [kubernetes/apparmor-loader](https://github.com/kubernetes/kubernetes/tree/master/test/images/apparmor-loader).
 
 ## Testing
 [Set up a Microk8s environment](./docs/microk8s.md).

charts/kapparmor/templates/daemonset.yaml

@@ -37,13 +37,16 @@ spec:
 
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-          # mount a configmap as read only in the container's filesystem.  
+
           volumeMounts :
+            # Folder containing profiles files mounted from the configmap
             - name : kapparmor-profiles
               mountPath : {{ .Values.app.profiles_dir }}
               readOnly : false
+            # Folder used by the kernel to store loaded profiles names
             - name: profiles-kernel-path
               mountPath: /sys/kernel/security
+            # Folder used by the app to store custom profiles definitions
             - name: etc-apparmor
               mountPath: /etc/apparmor.d/
 

docs/microk8s.md

@@ -112,6 +112,9 @@ git pull && export GITHUB_SHA="sha-$(git log --oneline --no-abbrev-commit -n 1 |
 # https://github.com/databus23/helm-diff
 helm diff upgrade kapparmor --install --debug --set image.tag=$GITHUB_SHA charts/kapparmor
 
+rm /etc/apparmor.d/custom/custom.*
+apparmor_parser --remove --verbose $PROFILES_DIR
+
 helm upgrade kapparmor --install --atomic --timeout 30s --debug --set image.tag=$GITHUB_SHA charts/kapparmor/ &&\
   echo            &&\
   echo "--- EVENTS (wait 10 sec..)"&&\