This Kubewarden Policy is a replacement for the Kubernetes Pod Security Policy that controls the usage of AppArmor profiles.
This policy works by defining a whitelist of allowed AppArmor profiles. Pods are then inspected at creation and update time, to ensure only approved profiles are used.
When no AppArmor profile is defined, Kubernetes will leave the final choice to the underlying container runtime. This will result in using the default AppArmor profile provided by Container Runtime. Because of that, the default behaviour of this policy is to accept workloads that do not have an AppArmor profile specified.
The policy can be configured with the following data structure:
# list of allowed profiles
allowed_profiles:
- runtime/default
- localhost/my-special-workloadRunning a container with the unconfined profile is considered a bad
security practice.
This can be prevented by using this setting values:
allowed_profiles:
- runtime/defaultThis configuration would allow these Pods:
apiVersion: v1
kind: Pod
metadata:
name: hello-apparmor
annotations:
container.apparmor.security.beta.kubernetes.io/hello: runtime/default
spec:
containers:
- name: hello
image: busybox
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
---
apiVersion: v1
kind: Pod
metadata:
name: hello-apparmor-default-profile
spec:
containers:
- name: hello
image: busybox
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]While these Pods would not be allowed on the cluster:
apiVersion: v1
kind: Pod
metadata:
name: hello-unconfined
annotations:
container.apparmor.security.beta.kubernetes.io/hello: unconfined
spec:
containers:
- name: hello
image: busybox
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
---
apiVersion: v1
kind: Pod
metadata:
name: hello-custom-profile
annotations:
container.apparmor.security.beta.kubernetes.io/hello: localhost/my-custom-profile
spec:
containers:
- name: hello
image: busybox
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]The following profile would force all the workloads to either not specify an AppArmor profile (and hence use the default one provided by the Container Runtime) or use one of the approved profiles:
allowed_profiles:
- runtime/default
- localhost/my-custom-profileThis configuration would allow these Pods:
apiVersion: v1
kind: Pod
metadata:
name: hello-apparmor
annotations:
container.apparmor.security.beta.kubernetes.io/hello: runtime/default
spec:
containers:
- name: hello
image: busybox
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
---
apiVersion: v1
kind: Pod
metadata:
name: hello-apparmor-default-profile
spec:
containers:
- name: hello
image: busybox
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
---
apiVersion: v1
kind: Pod
metadata:
name: hello-apparmor-custom-profile
annotations:
container.apparmor.security.beta.kubernetes.io/hello: localhost/my-custom-profile
spec:
containers:
- name: hello
image: busybox
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]While these Pods would not be allowed on the cluster:
apiVersion: v1
kind: Pod
metadata:
name: hello-unconfined
annotations:
container.apparmor.security.beta.kubernetes.io/hello: unconfined
spec:
containers:
- name: hello
image: busybox
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
---
apiVersion: v1
kind: Pod
metadata:
name: hello-unknown-profile
annotations:
container.apparmor.security.beta.kubernetes.io/hello: localhost/unknown-profile
spec:
containers:
- name: hello
image: busybox
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]