k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/test/images/apparmor-loader/example-configmap.yaml (about) 1 # An example ConfigMap demonstrating how profiles can be stored as Kubernetes objects, and loaded by 2 # the apparmor-loader DaemonSet. 3 4 apiVersion: v1 5 kind: ConfigMap 6 metadata: 7 name: apparmor-profiles 8 namespace: apparmor 9 data: 10 # Filename k8s-nginx maps to the definition of the nginx profile. 11 k8s-nginx: |- 12 #include <tunables/global> 13 14 # From https://github.com/jfrazelle/bane/blob/master/docker-nginx-sample 15 profile k8s-nginx flags=(attach_disconnected,mediate_deleted) { 16 #include <abstractions/base> 17 18 network inet tcp, 19 network inet udp, 20 network inet icmp, 21 22 deny network raw, 23 24 deny network packet, 25 26 file, 27 umount, 28 29 deny /bin/** wl, 30 deny /boot/** wl, 31 deny /dev/** wl, 32 deny /etc/** wl, 33 deny /home/** wl, 34 deny /lib/** wl, 35 deny /lib64/** wl, 36 deny /media/** wl, 37 deny /mnt/** wl, 38 deny /opt/** wl, 39 deny /proc/** wl, 40 deny /root/** wl, 41 deny /sbin/** wl, 42 deny /srv/** wl, 43 deny /tmp/** wl, 44 deny /sys/** wl, 45 deny /usr/** wl, 46 47 audit /** w, 48 49 /var/run/nginx.pid w, 50 51 /usr/sbin/nginx ix, 52 53 deny /bin/dash mrwklx, 54 deny /bin/sh mrwklx, 55 deny /usr/bin/top mrwklx, 56 57 capability chown, 58 capability dac_override, 59 capability setuid, 60 capability setgid, 61 capability net_bind_service, 62 63 deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx, 64 deny @{PROC}/sysrq-trigger rwklx, 65 deny @{PROC}/mem rwklx, 66 deny @{PROC}/kmem rwklx, 67 deny @{PROC}/kcore rwklx, 68 deny mount, 69 deny /sys/[^f]*/** wklx, 70 deny /sys/f[^s]*/** wklx, 71 deny /sys/fs/[^c]*/** wklx, 72 deny /sys/fs/c[^g]*/** wklx, 73 deny /sys/fs/cg[^r]*/** wklx, 74 deny /sys/firmware/efi/efivars/** rwklx, 75 deny /sys/kernel/security/** rwklx, 76 }