K
Q

Enable default secomp and apparmor profiles , cluster level

10/29/2018

Can I enable, on the cluster level, for the pods to use default secomp and apparmor profiles or do I need to make an admission controller of my own to insert the innotation to the objects?

Leaving it to users is not an option.

-- Ijaz Ahmad Khan
apparmor
kubernetes
seccomp

Similar Questions

Kubernetes RBAC cluster-admin without secret reading permission
How do I see a list of all minikube clusters running in Docker on my mac?
Kubernetes on Windows: Can't connect to Pods from node host server or Internet
Kubernetes multiple pods communication

1 Answer

10/29/2018

There is already the PodSecurityPolicy object which essentially is an implementation of an admission controller. You can control the seccomp and apparmor profiles using annotations in the PodSecurityPolicy:

For example (as described in the docs), notice the 'default' in the annotation:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
spec:
...

Note that Seccomp is alpha and Apparmor is beta as of this writing.

-- Rico
Source: StackOverflow