In the earlier Pod Security Policy controller, it was possible to define a setting which would enable AppArmor for all the containers within a Pod so they may be assigned the desired profile. Assigning an AppArmor profile, accomplished via an annotation, is useful in that it allows secure defaults to be defined and may also result in passing other validation rules such as those in the Pod Security Standards. This policy mutates Pods to add an annotation for every container to enabled AppArmor at the runtime/default level.
apiVersion: policies.kyverno.io/v1alpha1kind: MutatingPolicymetadata:name: add-apparmor-annotationsannotations:policies.kyverno.io/title: Add AppArmor Annotationspolicies.kyverno.io/category: PSP Migrationpolicies.kyverno.io/subject: Pod,Annotationpod-policies.kyverno.io/autogen-controllers: nonepolicies.kyverno.io/description: In the earlier Pod Security Policy controller, it was possible to define a setting which would enable AppArmor for all the containers within a Pod so they may be assigned the desired profile. Assigning an AppArmor profile, accomplished via an annotation, is useful in that it allows secure defaults to be defined and may also result in passing other validation rules such as those in the Pod Security Standards. This policy mutates Pods to add an annotation for every container to enabled AppArmor at the runtime/default level.spec:evaluation:admission:enabled: truematchConstraints:resourceRules:- apiGroups:- ""apiVersions:- v1operations:- CREATE- UPDATEresources:- podsvariables:- name: allContainersexpression: "object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : [])"mutations:- patchType: JSONPatchjsonPatch:expression: |!has(object.metadata.annotations) ?[JSONPatch{op: "add",path: "/metadata/annotations",value: {}}] : []- patchType: JSONPatchjsonPatch:expression: |variables.allContainers.map(c,JSONPatch{op: "add",path: "/metadata/annotations/" + jsonpatch.escapeKey("container.apparmor.security.beta.kubernetes.io/" + c.name),value: "runtime/default"})
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on the mounted volume that persists the state. An immutable root filesystem can also prevent malicious binaries from writing to the host system. This policy validates that containers define a securityContext with `readOnlyRootFilesystem: true`.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.