NSX-T Data Center CNI plug-in must be installed on the Kubernetes nodes.

For Ubuntu, installing the NSX-T CNI plug-in will copy the AppArmor profile file ncp-apparmor to /etc/apparmor.d and load it. Before the install, the AppArmor service must be running and the directory /etc/apparmor.d must exist. Otherwise, the install will fail. You can check whether the AppArmor module is enabled with the following command:
    sudo cat /sys/module/apparmor/parameters/enabled
You can check whether the AppArmor service is started with the following command:
    sudo /etc/init.d/apparmor status
If the AppArmor service is not running when you install the NSX-T CNI plug-in, the install will display the following message when it finishes:
    subprocess installed post-installation script returned error exit status 1

The message indicates that all the installation steps completed except the loading of the AppArmor profile.

The ncp-apparmor profile file provides an AppArmor profile for NSX node agent called node-agent-apparmor, which differs from the docker-default profile in the following ways:

  • The deny mount rule is removed.
  • The mount rule is added.
  • Some network, capability, file, and umount options are added.
You can replace the node-agent-apparmor profile with a different profile. However, the profile name node-agent-apparmor is referenced in the file nsx-node-agent-ds.yml, which is used in the installation of NSX node agent. If you use a different profile, you must specify the profile name in nsx-node-agent-ds.yml, under the section spec:template:metadata:annotations, in the following entry:
    container.apparmor.security.beta.kubernetes.io/<container-name>: localhost/<profile-name>


  1. Download the installation file appropriate to your Linux distribution.
    The filename is nsx-cni- or nsx-cni-, where xxxxxxx is the build number.
  2. Install the rpm or deb file downloaded in step 1.
    The plug-in is installed in /opt/cni/bin. The CNI configuration file 10-nsx.conf is copied to /etc/cni/net.d. The rpm will also install the configuration file /etc/cni/net.d/99-loopback.conf for the loopback plug-in.