Help Center/
Ubiquitous Cloud Native Service/
User Guide/
Policy Center/
Policy Definition Library/
k8spspapparmor
Updated on 2024-02-01 GMT+08:00
k8spspapparmor
Basic Information
Function
This policy restricts the AppArmor fields.
Policy Example
The following policy instance shows the types of resources for which the policy definition takes effect. The allowedProfiles field of parameters defines the allowed values.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: psp-apparmor
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
allowedProfiles:
- runtime/default
Resource Definition That Complies with the Policy
In the example, the value of apparmor is within the allowed range defined above, which complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-apparmor-allowed
annotations:
# apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
labels:
app: nginx-apparmor
spec:
containers:
- name: nginx
image: nginx
Resource Definition That Does Not Comply with the Policy
In the example, the value of apparmor is not within the allowed range defined above, which does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-apparmor-disallowed
annotations:
# apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
container.apparmor.security.beta.kubernetes.io/nginx: unconfined
labels:
app: nginx-apparmor
spec:
containers:
- name: nginx
image: nginx
Parent topic: Policy Definition Library
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
