---
title: "Restrict Apparmor Profiles"
url: https://docs.nirmata.io/docs/policy-sets/podsecurity/baseline/restrict-apparmor-profiles/
---



### Description
On supported hosts, the runtime/default AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles.

**Restricted Fields**
* metadata.annotations["container.apparmor.security.beta.kubernetes.io/*"]

**Allowed Values**
* Undefined/nil
* runtime/default
* localhost/*

### Risks
Risks associated with overriding default or allowed set of profiles:  

* `Compromising Default Security`: The key idea is to ensure that only approved profiles are used, and that the security provided by the default profiles is not compromised. The default profile is designed to provide a baseline level of security, and bypassing it might expose containers to to potential attacks that the default profile would otherwise prevent.

* `Misconfiguration of Custom Profiles`: Custom profiles specified must be accurately defined and thoroughly tested. Misconfigured profiles can provide more permissions than intended or fail to enforce necessary restrictions.

### Kyverno Policy
Refer to the Nirmata curated policies - [restrict-apparmor-profiles.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml)

### References
#### Configuration Settings
Specifying other AppArmor profiles is disallowed. The annotation `container.apparmor.security.beta.kubernetes.io` if defined must not be set to anything other than `runtime/default` or `localhost/*`.

```bash
=(metadata):
  =(annotations):
    =(container.apparmor.security.beta.kubernetes.io/*): "runtime/default | localhost/*"
```

#### Resource Example
Below is a `Deployment` resource example where the annotation `container.apparmor.security.beta.kubernetes.io/container01` value is set to `runtime/default`. Another accepted value is `localhost/*` (example, `localhost/foo`).

```bash
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment02
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
      annotations:
        container.apparmor.security.beta.kubernetes.io/container01: runtime/default
    spec:
      containers:
      - name: container01
        image: dummyimagename
```text