Updated on 2024-02-01 GMT+08:00

k8spspapparmor

Basic Information

  • Policy type: security
  • Recommended level: L3
  • Effective resource type: Pod
  • Parameter

    allowedProfiles: Array

    exemptImages: String array

Function

This policy restricts the AppArmor fields.

Policy Example

The following policy instance shows the types of resources for which the policy definition takes effect. The allowedProfiles field of parameters defines the allowed values.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
  name: psp-apparmor
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    allowedProfiles:
    - runtime/default

Resource Definition That Complies with the Policy

In the example, the value of apparmor is within the allowed range defined above, which complies with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-apparmor-allowed
  annotations:
    # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
    container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
  labels:
    app: nginx-apparmor
spec:
  containers:
  - name: nginx
    image: nginx

Resource Definition That Does Not Comply with the Policy

In the example, the value of apparmor is not within the allowed range defined above, which does not comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-apparmor-disallowed
  annotations:
    # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-apparmor
spec:
  containers:
  - name: nginx
    image: nginx