Verify that the Apparmor tool is configured to
control whitelisted applications and user home directory access
control.
The apparmor service can be enabled with the following manifest:
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-apparmor-enable
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- name: apparmor.service
enabled: true
This will enable the apparmor service in all the
nodes labeled with the "master" role.
Note that this needs to be done for each MachineConfigPool
For more information on how to configure nodes with the Machine Config
Operator see
the relevant documentation.