# AppArmor profile for kubesolo (kubelet + control plane)
# Start in complain mode to log without blocking

#include <tunables/global>

profile kubesolo /usr/bin/kubesolo flags=(complain) {
  #include <abstractions/base>

  # Binary and shared libraries
  /usr/bin/kubesolo                     mr,
  /usr/lib/**                           mr,
  /lib/**                               mr,

  # KubeSolo state (etcd/SQLite, certificates, manifests)
  /var/lib/kubesolo/**                  rw,

  # KubeSolo configuration
  /etc/kubesolo/**                      r,

  # Containerd socket
  /run/containerd/**                    rw,

  # CNI networking
  /etc/cni/**                           r,
  /opt/cni/bin/**                       ix,

  # Proc and sys access
  @{PROC}/**                            r,
  /sys/**                               r,

  # Device access
  /dev/**                               rw,

  # Network access (API server, kubelet, etcd)
  network,

  # Control plane needs broad capabilities
  capability,

  # Kubectl and other tools
  /usr/bin/kubectl                      ix,
  /usr/local/bin/**                     ix,

  # Temp files
  /tmp/**                               rw,

  # Log files
  /var/log/**                           rw,

  # Kubelet needs to manage pods
  /var/lib/kubelet/**                   rw,

  # Signal handling
  signal,
  ptrace,
}
