This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello Team,
I am getting Azure Policy security recommendation "Overriding or disabling of containers AppArmor profile should be restricted". I have applied below annotation as suggested here,
annotations:
container.apparmor.security.beta.kubernetes.io/azure-vote-back: runtime/default
But still the security recommendation persists. Is there anything else I need to do?
apiVersion: apps/v1
kind: Deployment
metadata:
name: azure-vote-back
namespace: my-dev
spec:
replicas: 1
selector:
matchLabels:
app: azure-vote-back
template:
metadata:
labels:
app: azure-vote-back
annotations:
container.apparmor.security.beta.kubernetes.io/azure-vote-back: runtime/default
spec:
containers:
- name: azure-vote-back
image: redis
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 100m
memory: 128Mi
ports:
- containerPort: 6379
name: redis
securityContext:
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
Hello,
Did you create the apparmor profile on AKS Host Node Pool?
yes i have created
profile default flags=(attach_disconnected,mediate_deleted) {
ptrace peer=@{profile_name},
network,
capability,
file,
umount,
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/kcore rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,
deny mount,
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx,
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
deny /sys/firmware/** rwklx,
deny /sys/kernel/security/** rwklx,
}
I'm using this profile which is not working for me can you recommend a less tight profile config
thank you
yes I have created
@@IamCoder , thank you for your question. We regret the delayed response and any inconvenience it may have caused.
Some recommendations have parameters that must be customized via Azure Policy to use them effectively. For example, to benefit from the recommendation Container images should be deployed only from trusted registries, you'll have to define your trusted registries.
If you don't enter the necessary parameters for the recommendations that require configuration, your workloads will be shown as unhealthy.
By default the Policy definition for Kubernetes cluster containers should only use allowed AppArmor profiles has an empty list specified for allowedProfiles:
...
"allowedProfiles": {
"type": "Array",
"metadata": {
"displayName": "Allowed AppArmor profiles",
"description": "The list of AppArmor profiles that containers are allowed to use. E.g. 'runtime/default;docker/default'. Provide empty list as input to block everything."
},
"defaultValue": []
},
...
So, if you are using the profile runtime/default you have to modify the security policy to add the same in the allowedProfiles array.
----------
Hope this helps.
Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.