# AppArmor profile for kubesolo (kubelet + control plane) # Start in complain mode to log without blocking #include profile kubesolo /usr/bin/kubesolo flags=(complain) { #include # Binary and shared libraries /usr/bin/kubesolo mr, /usr/lib/** mr, /lib/** mr, # KubeSolo state (etcd/SQLite, certificates, manifests) /var/lib/kubesolo/** rw, # KubeSolo configuration /etc/kubesolo/** r, # Containerd socket /run/containerd/** rw, # CNI networking /etc/cni/** r, /opt/cni/bin/** ix, # Proc and sys access @{PROC}/** r, /sys/** r, # Device access /dev/** rw, # Network access (API server, kubelet, etcd) network, # Control plane needs broad capabilities capability, # Kubectl and other tools /usr/bin/kubectl ix, /usr/local/bin/** ix, # Temp files /tmp/** rw, # Log files /var/log/** rw, # Kubelet needs to manage pods /var/lib/kubelet/** rw, # Signal handling signal, ptrace, }