Prevents overriding or disabling the default AppArmor profile.
Note that this policy is part of the following security standards:
k8s/baseline
: Minimally restrictive policy while preventing known privilege escalations.k8s/restricted
: Heavily restricted policy, following current Pod hardening best practices.nist/SP.800-190
: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.4.3bsi/containerization
: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A17apiVersion: v1
kind: Pod
metadata:
name: your-deployment
annotations:
- container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example
spec:
containers:
- name: hello
image: busybox
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
securitytower.io/policy.exclusion.preventapparmoroverwrite
as on the example below.
apiVersion: v1 kind: Pod metadata: name: your-deployment annotations: securitytower.io/policy.exclusion.preventapparmoroverwrite: |- This container must use a custom AppArmor profile. ...