diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/apparmor.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/apparmor.md index 005105630b..404ea8181c 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates/apparmor.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates/apparmor.md @@ -9,6 +9,10 @@ stages: - stage: beta defaultValue: true fromVersion: "1.4" + toVersion: "1.30" + - stage: stable + defaultValue: true + fromVersion: "1.31" --- Enable use of AppArmor mandatory access control for Pods running on Linux nodes. See [AppArmor Tutorial](/docs/tutorials/security/apparmor/) for more details. diff --git a/content/en/docs/tasks/configure-pod-container/security-context.md b/content/en/docs/tasks/configure-pod-container/security-context.md index b176d20df5..8e36720c65 100644 --- a/content/en/docs/tasks/configure-pod-container/security-context.md +++ b/content/en/docs/tasks/configure-pod-container/security-context.md @@ -419,6 +419,56 @@ securityContext: localhostProfile: my-profiles/profile-allow.json ``` +## Set the AppArmor Profile for a Container + +To set the AppArmor profile for a Container, include the `appArmorProfile` field +in the `securityContext` section of your Container. The `appArmorProfile` field +is a +[AppArmorProfile](/docs/reference/generated/kubernetes-api/{{< param "version" +>}}/#apparmorprofile-v1-core) object consisting of `type` and `localhostProfile`. +Valid options for `type` include `RuntimeDefault`(default), `Unconfined`, and +`Localhost`. `localhostProfile` must only be set if `type` is `Localhost`. It +indicates the name of the pre-configured profile on the node. The profile needs +to be loaded onto all nodes suitable for the Pod, since you don't know where the +pod will be scheduled. +Approaches for setting up custom profiles are discussed in +[Setting up nodes with profiles](/docs/tutorials/security/apparmor/#setting-up-nodes-with-profiles). + +Note: If `containers[*].securityContext.appArmorProfile.type` is explicitly set +to `RuntimeDefault`, then the Pod will not be admitted if AppArmor is not +enabled on the Node. However if `containers[*].securityContext.appArmorProfile.type` +is not specified, then the default (which is also `RuntimeDefault`) will only +be applied if the node has AppArmor enabled. If the node has AppArmor disabled +the Pod will be admitted but the Container will not be restricted by the +`RuntimeDefault` profile. + +Here is an example that sets the AppArmor profile to the node's container runtime +default profile: + +```yaml +... +containers: +- name: container-1 + securityContext: + appArmorProfile: + type: RuntimeDefault +``` + +Here is an example that sets the AppArmor profile to a pre-configured profile +named `k8s-apparmor-example-deny-write`: + +```yaml +... +containers: +- name: container-1 + securityContext: + appArmorProfile: + type: Localhost + localhostProfile: k8s-apparmor-example-deny-write +``` + +For more details please see, [Restrict a Container's Access to Resources with AppArmor](/docs/tutorials/security/apparmor/). + ## Assign SELinux labels to a Container To assign SELinux labels to a Container, include the `seLinuxOptions` field in diff --git a/content/en/docs/tutorials/_index.md b/content/en/docs/tutorials/_index.md index 97a3bacbdf..d9c865c5f7 100644 --- a/content/en/docs/tutorials/_index.md +++ b/content/en/docs/tutorials/_index.md @@ -49,7 +49,7 @@ Before walking through each tutorial, you may want to bookmark the * [Apply Pod Security Standards at Cluster level](/docs/tutorials/security/cluster-level-pss/) * [Apply Pod Security Standards at Namespace level](/docs/tutorials/security/ns-level-pss/) -* [AppArmor](/docs/tutorials/security/apparmor/) +* [Restrict a Container's Access to Resources with AppArmor](/docs/tutorials/security/apparmor/) * [Seccomp](/docs/tutorials/security/seccomp/) ## {{% heading "whatsnext" %}}