Restrict AppArmor

On supported hosts, the 'runtime/default' AppArmor profile is applied by default. The default policy should prevent overriding or disabling the policy, or restrict overrides to an allowed set of profiles. This policy ensures Pods do not specify any other AppArmor profiles than `runtime/default` or `localhost/*`.

Policy Definition

/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-apparmor-profiles
 5  annotations:
 6    policies.kyverno.io/title: Restrict AppArmor
 7    policies.kyverno.io/category: Pod Security Standards (Baseline)
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod, Annotation
10    policies.kyverno.io/minversion: 1.3.0
11    kyverno.io/kyverno-version: 1.6.0
12    kyverno.io/kubernetes-version: "1.22-1.23"
13    policies.kyverno.io/description: >-
14      On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
15      The default policy should prevent overriding or disabling the policy, or restrict
16      overrides to an allowed set of profiles. This policy ensures Pods do not
17      specify any other AppArmor profiles than `runtime/default` or `localhost/*`.      
18spec:
19  validationFailureAction: audit
20  background: true
21  rules:
22    - name: app-armor
23      match:
24        any:
25        - resources:
26            kinds:
27              - Pod
28      validate:
29        message: >-
30          Specifying other AppArmor profiles is disallowed. The annotation
31          `container.apparmor.security.beta.kubernetes.io` if defined
32          must not be set to anything other than `runtime/default` or `localhost/*`.          
33        pattern:
34          =(metadata):
35            =(annotations):
36              =(container.apparmor.security.beta.kubernetes.io/*): "runtime/default | localhost/*"
37

Create policy issue