Ensure containers are secured with AppArmor profile

Containers with no AppArmor profile - AppArmor is a Linux kernel security module that supplements the standard Linux user and group based permissions to confine programs to a limited set of resources. AppArmor can be configured for any application to reduce its potential attack surface and provide greater in-depth defense. It is configured through profiles tuned to whitelist the access needed by a specific program or container, such as Linux capabilities, network access, file permissions, etc. Each profile can be run in either enforcing mode, which blocks access to disallowed resources, or complain mode, which only reports violations.

Risk Level: Low
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.IAM.23
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesPod should have annotations contain [ key regexMatch /container.apparmor.security.beta.kubernetes.io\/pod.*/ ]

REMEDIATION

To enable containers with AppArmor, please refer to the documentation - https://kubernetes.io/docs/tutorials/clusters/apparmor/#securing-a-pod

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices