k8s.io/kubernetes@v1.29.3/test/images/apparmor-loader/example-daemon.yaml (about) 1 # The example DaemonSet demonstrating how the profile loader can be deployed onto a cluster to 2 # automatically load AppArmor profiles from a ConfigMap. 3 4 apiVersion: apps/v1 5 kind: DaemonSet 6 metadata: 7 name: apparmor-loader 8 # Namespace must match that of the ConfigMap. 9 namespace: apparmor 10 labels: 11 daemon: apparmor-loader 12 spec: 13 selector: 14 matchLabels: 15 daemon: apparmor-loader 16 template: 17 metadata: 18 name: apparmor-loader 19 labels: 20 daemon: apparmor-loader 21 spec: 22 containers: 23 - name: apparmor-loader 24 image: google/apparmor-loader:latest 25 args: 26 # Tell the loader to pull the /profiles directory every 30 seconds. 27 - -poll 28 - 30s 29 - /profiles 30 securityContext: 31 # The loader requires root permissions to actually load the profiles. 32 privileged: true 33 volumeMounts: 34 - name: sys 35 mountPath: /sys 36 readOnly: true 37 - name: apparmor-includes 38 mountPath: /etc/apparmor.d 39 readOnly: true 40 - name: profiles 41 mountPath: /profiles 42 readOnly: true 43 volumes: 44 # The /sys directory must be mounted to interact with the AppArmor module. 45 - name: sys 46 hostPath: 47 path: /sys 48 # The /etc/apparmor.d directory is required for most apparmor include templates. 49 - name: apparmor-includes 50 hostPath: 51 path: /etc/apparmor.d 52 # Map in the profile data. 53 - name: profiles 54 configMap: 55 name: apparmor-profiles