Restrict Apparmor Profiles

Description

On supported hosts, the runtime/default AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles.

Restricted Fields

• metadata.annotations[“container.apparmor.security.beta.kubernetes.io/*”]

Allowed Values

• Undefined/nil
• runtime/default
• localhost/*

Kyverno Policy

Refer to the Nirmata curated policies - restrict-apparmor-profiles.yaml

References

Configuration Settings

Specifying other AppArmor profiles is disallowed. The annotation container.apparmor.security.beta.kubernetes.io if defined must not be set to anything other than runtime/default or localhost/*.

=(metadata):
  =(annotations):
    =(container.apparmor.security.beta.kubernetes.io/*): "runtime/default | localhost/*"

Resource Example

Below is a Deployment resource example where the annotation container.apparmor.security.beta.kubernetes.io/container01 value is set to runtime/default. Another accepted value is localhost/* (example, localhost/foo).

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment02
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
      annotations:
        container.apparmor.security.beta.kubernetes.io/container01: runtime/default
    spec:
      containers:
      - name: container01
        image: dummyimagename