NSX-T CNI plug-in must be installed on the Kubernetes nodes.
For Ubuntu, installing the NSX-T CNI plug-in will copy the AppArmor profile file ncp-apparmor to /etc/apparmor.d and load it. Before the install, the AppArmor service must be running and the directory /etc/apparmor.d must exist. Otherwise, the install will fail. You can check whether the AppArmor module is enabled with the following command:
sudo cat /sys/module/apparmor/parameters/enabled
You can check whether the AppArmor service is started with the following command:
sudo /etc/init.d/apparmor status
If the AppArmor service is not running when you install the NSX-T CNI plug-in, the install will display the following message when it finishes:
subprocess installed post-installation script returned error exit status 1
The message indicates that all the installation steps completed except the loading of the AppArmor profile.
The ncp-apparmor profile file provides an AppArmor profile for NSX node agent called node-agent-apparmor, which differs from the docker-default profile in the following ways:
The deny mount rule is removed.
The mount rule is added.
Some network, capability, file, and umount options are added.
You can replace the node-agent-apparmor profile with a different profile. However, the profile name node-agent-apparmor is referenced in the file nsx-node-agent-ds.yml, which is used in the installation of NSX node agent. If you use a different profile, you must specify the profile name in nsx-node-agent-ds.yml, under the section spec:template:metadata:annotations, in the following entry:
container.apparmor.security.beta.kubernetes.io/<container-name>: localhost/<profile-name>