Restrict AppArmor

On supported hosts, the 'runtime/default' AppArmor profile is applied by default. The default policy should prevent overriding or disabling the policy, or restrict overrides to an allowed set of profiles. This policy ensures Pods do not specify any other AppArmor profiles than `runtime/default`.

Policy Definition

/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-apparmor-profiles
 5  annotations:
 6    policies.kyverno.io/title: Restrict AppArmor
 7    policies.kyverno.io/category: Pod Security Standards (Baseline)
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod, Annotation
10    policies.kyverno.io/minversion: 1.3.0
11    policies.kyverno.io/description: >-
12      On supported hosts, the 'runtime/default' AppArmor profile is applied by default. 
13      The default policy should prevent overriding or disabling the policy, or restrict 
14      overrides to an allowed set of profiles. This policy ensures Pods do not
15      specify any other AppArmor profiles than `runtime/default`.      
16spec:
17  validationFailureAction: audit
18  background: true
19  rules:
20    - name: app-armor
21      match:
22        resources:
23          kinds:
24            - Pod
25      validate:
26        message: >-
27          Specifying other AppArmor profiles is disallowed. The annotation
28          container.apparmor.security.beta.kubernetes.io must not be defined,
29          or must not be set to anything other than `runtime/default`.          
30        pattern:
31          metadata:
32            =(annotations):
33              =(container.apparmor.security.beta.kubernetes.io/*): "runtime/default"
34

Create policy issue