Missing App Armor Config

  • Query id: bd6bd46c-57db-4887-956d-d372f21291b6
  • Query name: Missing App Armor Config
  • Platform: Terraform
  • Severity: Medium
  • Category: Access Control
  • URL: Github


Containers should be configured with AppArmor for any application to reduce its potential attack

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "kubernetes_pod" "example1" {
  metadata {
    name = "terraform-example1"
    annotations = {
      "container.apparmor" = "localhost"

  spec {
    container {
      image = "nginx:1.7.9"
      name  = "example"

      env {
        name  = "environment"
        value = "test"

      port {
        container_port = 8080

      liveness_probe {
        http_get {
          path = "/nginx_status"
          port = 80

          http_header {
            name  = "X-Custom-Header"
            value = "Awesome"

        initial_delay_seconds = 3
        period_seconds        = 3

    dns_config {
      nameservers = ["", "", ""]
      searches    = ["example.com"]

      option {
        name  = "ndots"
        value = 1

      option {
        name = "use-vc"

    dns_policy = "None"

resource "kubernetes_pod" "example2" {
  metadata {
    name = "terraform-example2"

  spec {
    container {
      image = "nginx:1.7.9"
      name  = "example"

      env {
        name  = "environment"
        value = "test"

      port {
        container_port = 8080

      liveness_probe {
        http_get {
          path = "/nginx_status"
          port = 80

          http_header {
            name  = "X-Custom-Header"
            value = "Awesome"

        initial_delay_seconds = 3
        period_seconds        = 3

    dns_config {
      nameservers = ["", "", ""]
      searches    = ["example.com"]

      option {
        name  = "ndots"
        value = 1

      option {
        name = "use-vc"

    dns_policy = "None"

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "kubernetes_pod" "test" {
  metadata {
    name = "terraform-example"
    annotations = {
      "container.apparmor.security.beta.kubernetes.io" = "localhost/k8s-apparmor-example-allow-write"

  spec {
    container {
      image = "nginx:1.7.9"
      name  = "example"

      env {
        name  = "environment"
        value = "test"

      port {
        container_port = 8080

      liveness_probe {
        http_get {
          path = "/nginx_status"
          port = 80

          http_header {
            name  = "X-Custom-Header"
            value = "Awesome"

        initial_delay_seconds = 3
        period_seconds        = 3

    dns_config {
      nameservers = ["", "", ""]
      searches    = ["example.com"]

      option {
        name  = "ndots"
        value = 1

      option {
        name = "use-vc"

    dns_policy = "None"