Restrict Apparmor Profiles
Description
On supported hosts, the runtime/default AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles.
Restricted Fields
- metadata.annotations[“container.apparmor.security.beta.kubernetes.io/*”]
Allowed Values
- Undefined/nil
- runtime/default
- localhost/*
Risks
Risks associated with overriding default or allowed set of profiles:
-
Compromising Default Security: The key idea is to ensure that only approved profiles are used, and that the security provided by the default profiles is not compromised. The default profile is designed to provide a baseline level of security, and bypassing it might expose containers to to potential attacks that the default profile would otherwise prevent. -
Misconfiguration of Custom Profiles: Custom profiles specified must be accurately defined and thoroughly tested. Misconfigured profiles can provide more permissions than intended or fail to enforce necessary restrictions.
Kyverno Policy
Refer to the Nirmata curated policies - restrict-apparmor-profiles.yaml
References
Configuration Settings
Specifying other AppArmor profiles is disallowed. The annotation container.apparmor.security.beta.kubernetes.io if defined must not be set to anything other than runtime/default or localhost/*.
=(metadata):
=(annotations):
=(container.apparmor.security.beta.kubernetes.io/*): "runtime/default | localhost/*"
Resource Example
Below is a Deployment resource example where the annotation container.apparmor.security.beta.kubernetes.io/container01 value is set to runtime/default. Another accepted value is localhost/* (example, localhost/foo).
apiVersion: apps/v1
kind: Deployment
metadata:
name: gooddeployment02
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
annotations:
container.apparmor.security.beta.kubernetes.io/container01: runtime/default
spec:
containers:
- name: container01
image: dummyimagename