Missing AppArmor Profile

  • Query id: 8b36775e-183d-4d46-b0f7-96a6f34a723f
  • Query name: Missing AppArmor Profile
  • Platform: Kubernetes
  • Severity: Low
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: hello-apparmor-1
  annotations:
    container.apparmor.security.beta.kubernetes.io/hello1: dummy
    container.apparmor.security.beta.kubernetes.io/hello2: dummy
spec:
  containers:
  - name: hello1
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
  - name: hello2
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
  - name: hello3
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ubuntu-test1
  namespace: testns
  labels:
    deployment: ubuntu-1
spec:
  replicas: 1
  selector:
    matchLabels:
      container: ubuntu-1
  template:
    metadata:
      labels:
        container: ubuntu-1
      annotations:
        container.apparmor.security.beta.kubernetes.io/ubuntu-1-container: dummy
    spec:
      containers:
      - name: ubuntu-1-container
        image: 0x010/ubuntu-w-utils:latest

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: hello-apparmor-2positive
  annotations:
    container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-allow-write
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]