vendor/k8s.io/kubernetes/test/images/apparmor-loader/example-configmap.yaml - cloudstack-kubernetes-provider - Git at Google

 # An example ConfigMap demonstrating how profiles can be stored as Kubernetes objects, and loaded by
 # the apparmor-loader DaemonSet.

 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: apparmor-profiles
   namespace: apparmor
 data:
   # Filename k8s-nginx maps to the definition of the nginx profile.
   k8s-nginx: |-
     #include <tunables/global>

     # From https://github.com/jfrazelle/bane/blob/master/docker-nginx-sample
     profile k8s-nginx flags=(attach_disconnected,mediate_deleted) {
       #include <abstractions/base>

       network inet tcp,
       network inet udp,
       network inet icmp,

       deny network raw,

       deny network packet,

       file,
       umount,

       deny /bin/** wl,
       deny /boot/** wl,
       deny /dev/** wl,
       deny /etc/** wl,
       deny /home/** wl,
       deny /lib/** wl,
       deny /lib64/** wl,
       deny /media/** wl,
       deny /mnt/** wl,
       deny /opt/** wl,
       deny /proc/** wl,
       deny /root/** wl,
       deny /sbin/** wl,
       deny /srv/** wl,
       deny /tmp/** wl,
       deny /sys/** wl,
       deny /usr/** wl,

       audit /** w,

       /var/run/nginx.pid w,

       /usr/sbin/nginx ix,

       deny /bin/dash mrwklx,
       deny /bin/sh mrwklx,
       deny /usr/bin/top mrwklx,

       capability chown,
       capability dac_override,
       capability setuid,
       capability setgid,
       capability net_bind_service,

       deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
       deny @{PROC}/sysrq-trigger rwklx,
       deny @{PROC}/mem rwklx,
       deny @{PROC}/kmem rwklx,
       deny @{PROC}/kcore rwklx,
       deny mount,
       deny /sys/[^f]*/** wklx,
       deny /sys/f[^s]*/** wklx,
       deny /sys/fs/[^c]*/** wklx,
       deny /sys/fs/c[^g]*/** wklx,
       deny /sys/fs/cg[^r]*/** wklx,
       deny /sys/firmware/efi/efivars/** rwklx,
       deny /sys/kernel/security/** rwklx,
     }
	# An example ConfigMap demonstrating how profiles can be stored as Kubernetes objects, and loaded by
	# the apparmor-loader DaemonSet.

	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: apparmor-profiles
	namespace: apparmor
	data:
	# Filename k8s-nginx maps to the definition of the nginx profile.
	k8s-nginx: \|-
	#include <tunables/global>

	# From https://github.com/jfrazelle/bane/blob/master/docker-nginx-sample
	profile k8s-nginx flags=(attach_disconnected,mediate_deleted) {
	#include <abstractions/base>

	network inet tcp,
	network inet udp,
	network inet icmp,

	deny network raw,

	deny network packet,

	file,
	umount,

	deny /bin/** wl,
	deny /boot/** wl,
	deny /dev/** wl,
	deny /etc/** wl,
	deny /home/** wl,
	deny /lib/** wl,
	deny /lib64/** wl,
	deny /media/** wl,
	deny /mnt/** wl,
	deny /opt/** wl,
	deny /proc/** wl,
	deny /root/** wl,
	deny /sbin/** wl,
	deny /srv/** wl,
	deny /tmp/** wl,
	deny /sys/** wl,
	deny /usr/** wl,

	audit /** w,

	/var/run/nginx.pid w,

	/usr/sbin/nginx ix,

	deny /bin/dash mrwklx,
	deny /bin/sh mrwklx,
	deny /usr/bin/top mrwklx,

	capability chown,
	capability dac_override,
	capability setuid,
	capability setgid,
	capability net_bind_service,

	deny @{PROC}/{,^[0-9],sys/kernel/shm*} wkx,
	deny @{PROC}/sysrq-trigger rwklx,
	deny @{PROC}/mem rwklx,
	deny @{PROC}/kmem rwklx,
	deny @{PROC}/kcore rwklx,
	deny mount,
	deny /sys/[^f]/* wklx,
	deny /sys/f[^s]/* wklx,
	deny /sys/fs/[^c]/* wklx,
	deny /sys/fs/c[^g]/* wklx,
	deny /sys/fs/cg[^r]/* wklx,
	deny /sys/firmware/efi/efivars/** rwklx,
	deny /sys/kernel/security/** rwklx,
	}