question

IamCoder-6455 avatar image
2 Votes"
IamCoder-6455 asked srbose-msft edited

how to fix the security recommendation "Overriding or disabling of containers AppArmor profile should be restricted"

Hello Team,


I am getting Azure Policy security recommendation "Overriding or disabling of containers AppArmor profile should be restricted". I have applied below annotation as suggested here,

annotations:
container.apparmor.security.beta.kubernetes.io/azure-vote-back: runtime/default

https://docs.microsoft.com/en-us/azure/security-center/kubernetes-workload-protections#healthy-deployment-example-yaml-file

But still the security recommendation persists. Is there anything else I need to do?


apiVersion: apps/v1
kind: Deployment
metadata:
name: azure-vote-back
namespace: my-dev
spec:
replicas: 1
selector:
matchLabels:
app: azure-vote-back
template:
metadata:
labels:
app: azure-vote-back
annotations:
container.apparmor.security.beta.kubernetes.io/azure-vote-back: runtime/default
spec:
containers:
- name: azure-vote-back
image: redis
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 100m
memory: 128Mi
ports:
- containerPort: 6379
name: redis
securityContext:
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000

azure-kubernetes-serviceazure-security-center
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,

Did you create the apparmor profile on AKS Host Node Pool?

0 Votes 0 ·

yes i have created

0 Votes 0 ·

include <tunables/global>

profile default flags=(attach_disconnected,mediate_deleted) {

include <abstractions/base>


ptrace peer=@{profile_name},

network,
capability,
file,
umount,

deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)

deny write to files not in /proc/<number>/ or /proc/sys/

deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]}/ w,
deny @{PROC}/sys/[^k]
w, # deny /proc/sys except /proc/sys/k (effectively /proc/sys/kernel)
deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/kcore rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,

deny mount,

deny /sys/[^f]/ wklx,
deny /sys/f[^s]
/ wklx,
deny /sys/fs/[^c]/ wklx,
deny /sys/fs/c[^g]
/
wklx,
deny /sys/fs/cg[^r]/ wklx,
deny /sys/firmware/
rwklx,
deny /sys/kernel/security/
* rwklx,
}


I'm using this profile which is not working for me can you recommend a less tight profile config
thank you

0 Votes 0 ·

yes I have created

0 Votes 0 ·

1 Answer

srbose-msft avatar image
0 Votes"
srbose-msft answered srbose-msft edited

@IamCoder-6455 , thank you for your question. We regret the delayed response and any inconvenience it may have caused.

Some recommendations have parameters that must be customized via Azure Policy to use them effectively. For example, to benefit from the recommendation Container images should be deployed only from trusted registries, you'll have to define your trusted registries.

If you don't enter the necessary parameters for the recommendations that require configuration, your workloads will be shown as unhealthy.

142308-image.png
142284-image.png

[Reference]

By default the Policy definition for Kubernetes cluster containers should only use allowed AppArmor profiles has an empty list specified for allowedProfiles:

 ...
 "allowedProfiles": {
         "type": "Array",
         "metadata": {
           "displayName": "Allowed AppArmor profiles",
           "description": "The list of AppArmor profiles that containers are allowed to use. E.g. 'runtime/default;docker/default'. Provide empty list as input to block everything."
         },
         "defaultValue": []
       },
 ...

So, if you are using the profile runtime/default you have to modify the security policy to add the same in the allowedProfiles array.


Hope this helps.

Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.


image.png (3.9 KiB)
image.png (7.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.