| # An example ConfigMap demonstrating how profiles can be stored as Kubernetes objects, and loaded by |
| # the apparmor-loader DaemonSet. |
| |
| apiVersion: v1 |
| kind: ConfigMap |
| metadata: |
| name: apparmor-profiles |
| namespace: apparmor |
| data: |
| # Filename k8s-nginx maps to the definition of the nginx profile. |
| k8s-nginx: |- |
| #include <tunables/global> |
| |
| # From https://github.com/jfrazelle/bane/blob/master/docker-nginx-sample |
| profile k8s-nginx flags=(attach_disconnected,mediate_deleted) { |
| #include <abstractions/base> |
| |
| network inet tcp, |
| network inet udp, |
| network inet icmp, |
| |
| deny network raw, |
| |
| deny network packet, |
| |
| file, |
| umount, |
| |
| deny /bin/** wl, |
| deny /boot/** wl, |
| deny /dev/** wl, |
| deny /etc/** wl, |
| deny /home/** wl, |
| deny /lib/** wl, |
| deny /lib64/** wl, |
| deny /media/** wl, |
| deny /mnt/** wl, |
| deny /opt/** wl, |
| deny /proc/** wl, |
| deny /root/** wl, |
| deny /sbin/** wl, |
| deny /srv/** wl, |
| deny /tmp/** wl, |
| deny /sys/** wl, |
| deny /usr/** wl, |
| |
| audit /** w, |
| |
| /var/run/nginx.pid w, |
| |
| /usr/sbin/nginx ix, |
| |
| deny /bin/dash mrwklx, |
| deny /bin/sh mrwklx, |
| deny /usr/bin/top mrwklx, |
| |
| capability chown, |
| capability dac_override, |
| capability setuid, |
| capability setgid, |
| capability net_bind_service, |
| |
| deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx, |
| deny @{PROC}/sysrq-trigger rwklx, |
| deny @{PROC}/mem rwklx, |
| deny @{PROC}/kmem rwklx, |
| deny @{PROC}/kcore rwklx, |
| deny mount, |
| deny /sys/[^f]*/** wklx, |
| deny /sys/f[^s]*/** wklx, |
| deny /sys/fs/[^c]*/** wklx, |
| deny /sys/fs/c[^g]*/** wklx, |
| deny /sys/fs/cg[^r]*/** wklx, |
| deny /sys/firmware/efi/efivars/** rwklx, |
| deny /sys/kernel/security/** rwklx, |
| } |