| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 |
- # An example ConfigMap demonstrating how profiles can be stored as Kubernetes objects, and loaded by
- # the apparmor-loader DaemonSet.
- apiVersion: v1
- kind: ConfigMap
- metadata:
- name: apparmor-profiles
- namespace: apparmor
- data:
- # Filename k8s-nginx maps to the definition of the nginx profile.
- k8s-nginx: |-
- #include <tunables/global>
- # From https://github.com/jfrazelle/bane/blob/master/docker-nginx-sample
- profile k8s-nginx flags=(attach_disconnected,mediate_deleted) {
- #include <abstractions/base>
- network inet tcp,
- network inet udp,
- network inet icmp,
- deny network raw,
- deny network packet,
- file,
- umount,
- deny /bin/** wl,
- deny /boot/** wl,
- deny /dev/** wl,
- deny /etc/** wl,
- deny /home/** wl,
- deny /lib/** wl,
- deny /lib64/** wl,
- deny /media/** wl,
- deny /mnt/** wl,
- deny /opt/** wl,
- deny /proc/** wl,
- deny /root/** wl,
- deny /sbin/** wl,
- deny /srv/** wl,
- deny /tmp/** wl,
- deny /sys/** wl,
- deny /usr/** wl,
- audit /** w,
- /var/run/nginx.pid w,
- /usr/sbin/nginx ix,
- deny /bin/dash mrwklx,
- deny /bin/sh mrwklx,
- deny /usr/bin/top mrwklx,
- capability chown,
- capability dac_override,
- capability setuid,
- capability setgid,
- capability net_bind_service,
- deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
- deny @{PROC}/sysrq-trigger rwklx,
- deny @{PROC}/mem rwklx,
- deny @{PROC}/kmem rwklx,
- deny @{PROC}/kcore rwklx,
- deny mount,
- deny /sys/[^f]*/** wklx,
- deny /sys/f[^s]*/** wklx,
- deny /sys/fs/[^c]*/** wklx,
- deny /sys/fs/c[^g]*/** wklx,
- deny /sys/fs/cg[^r]*/** wklx,
- deny /sys/firmware/efi/efivars/** rwklx,
- deny /sys/kernel/security/** rwklx,
- }
|
