All Policies

Add AppArmor Annotations

In the earlier Pod Security Policy controller, it was possible to define a setting which would enable AppArmor for all the containers within a Pod so they may be assigned the desired profile. Assigning an AppArmor profile, accomplished via an annotation, is useful in that it allows secure defaults to be defined and may also result in passing other validation rules such as those in the Pod Security Standards. This policy mutates Pods to add an annotation for every container to enabled AppArmor at the runtime/default level.

Policy Definition

/psp-migration-mpol/add-apparmor/add-apparmor.yaml

 1apiVersion: policies.kyverno.io/v1alpha1
 2kind: MutatingPolicy
 3metadata:
 4  name: add-apparmor-annotations
 5  annotations:
 6    policies.kyverno.io/title: Add AppArmor Annotations
 7    policies.kyverno.io/category: PSP Migration
 8    policies.kyverno.io/subject: Pod,Annotation
 9    pod-policies.kyverno.io/autogen-controllers: none
10    policies.kyverno.io/description: >-
11      In the earlier Pod Security Policy controller, it was possible to define
12      a setting which would enable AppArmor for all the containers within a Pod so
13      they may be assigned the desired profile. Assigning an AppArmor profile, accomplished
14      via an annotation, is useful in that it allows secure defaults to be defined and may
15      also result in passing other validation rules such as those in the Pod Security Standards.
16      This policy mutates Pods to add an annotation for every container to enabled AppArmor
17      at the runtime/default level.
18spec:
19  evaluation:
20    admission:
21      enabled: true
22  matchConstraints:
23    resourceRules:
24    - apiGroups: [""]
25      apiVersions: ["v1"]
26      operations: ["CREATE", "UPDATE"]
27      resources: ["pods"]
28  variables:
29    - name: allContainers
30      expression: >-
31        object.spec.containers + 
32        (has(object.spec.initContainers) ? object.spec.initContainers : []) + 
33        (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : [])
34  mutations:
35  # First, ensure annotations exist
36  - patchType: JSONPatch
37    jsonPatch:
38      expression: |
39        !has(object.metadata.annotations) ?
40        [
41          JSONPatch{
42            op: "add",
43            path: "/metadata/annotations",
44            value: {}
45          }
46        ] : []
47  # Then add all AppArmor annotations
48  - patchType: JSONPatch
49    jsonPatch:
50      expression: |
51        variables.allContainers.map(c,
52          JSONPatch{
53            op: "add",
54            path: "/metadata/annotations/" + jsonpatch.escapeKey("container.apparmor.security.beta.kubernetes.io/" + c.name),
55            value: "runtime/default"
56          }
57        )