I'm struggling with specifying correct parameter value for Azure policy named "Overriding or disabling of containers AppArmor profile should be restricted" - allowedProfiles
parameter.
From k8s docs, I can use kubectl exec <POD_NAME> --namespace="<NAMESPACE>" -- cat /proc/1/attr/current
to get to know what profiles are enabled. When running it against few pods, I can see mostly there is following profile enabled:
cri-containerd.apparmor.d
However, when I try to put that into policy parameter allowedProfiles
(value was [ "cri-containerd.apparmor.d" ]
) it does not make resource healthy. I was also trying with values in the parameter hint (i.e. [ "runtime/default", "docker/default"]
), but the effect was the same: still unhealthy resource.
Firstly, provide the allowed profile name(s) as an input for the constraint (policy). You can use the "runtime/default" if you want to use whatever is provided with AKS. Alternatively create your own AppArmor profile and pass it as allowed.
Secondly, in your YAML definitions (for Pods, Deployments, Jobs etc.) you need to make sure you are actualy using the AppArmor profile, i.e. for Pods: