All Policies
Restrict AppArmor
On supported hosts, the 'runtime/default' AppArmor profile is applied by default. The default policy should prevent overriding or disabling the policy, or restrict overrides to an allowed set of profiles. This policy ensures Pods do not specify any other AppArmor profiles than `runtime/default`.
Policy Definition
/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-apparmor-profiles
5 annotations:
6 policies.kyverno.io/title: Restrict AppArmor
7 policies.kyverno.io/category: Pod Security Standards (Baseline)
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod, Annotation
10 policies.kyverno.io/minversion: 1.3.0
11 policies.kyverno.io/description: >-
12 On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
13 The default policy should prevent overriding or disabling the policy, or restrict
14 overrides to an allowed set of profiles. This policy ensures Pods do not
15 specify any other AppArmor profiles than `runtime/default`.
16spec:
17 validationFailureAction: audit
18 background: true
19 rules:
20 - name: app-armor
21 match:
22 resources:
23 kinds:
24 - Pod
25 validate:
26 message: >-
27 Specifying other AppArmor profiles is disallowed. The annotation
28 container.apparmor.security.beta.kubernetes.io must not be defined,
29 or must not be set to anything other than `runtime/default`.
30 pattern:
31 metadata:
32 =(annotations):
33 =(container.apparmor.security.beta.kubernetes.io/*): "runtime/default"
34