kubeaudit icon indicating copy to clipboard operation
kubeaudit copied to clipboard

Published 20 hours ago verified publisher icon Shopify

Support AppArmor profile unconfined

Open JWT95 opened this issue 2 years ago • 2 comments

ISSUE TYPE
  • [ ] Bug Report
  • [X] Feature Idea

FEATURE IDEA

Proposal: At current kubeaudit does not support annotations of the form: container.apparmor.security.beta.kubernetes.io/<container>: unconfined. It errors with: Message: AppArmor is disabled. This can't be overriden because kubeaudit doesn't support apparmor override errors.

But the unconfined profile is supported by k8s and may be used for containers that need access to /proc but can't use localhost profiles.

kubeaudit should either support the unconfined profile or allow overrides for apparmor. I think the same applies for seccomp.

JWT95 avatar Jun 10 '22 16:06 JWT95

Thanks for opening your first issue here! Be sure to follow the issue template!

ghost avatar Jun 10 '22 16:06 ghost

Why not both? 🙂 If you are interested in contributing, we would be happy to accept this change.

EDIT: Actually, since unconfined runs apparmor with no security profile, I think we want to discourage this. We should introduce an override label.

genevieveluyt avatar Jun 10 '22 16:06 genevieveluyt