Missing App Armor Config
- Query id: 95588189-1abd-4df1-9588-b0a5034f9e87
- Query name: Missing App Armor Config
- Platform: Pulumi
- Severity: Medium
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
Containers should be configured with AppArmor for any application to reduce its potential attack
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
name: yaml-example
description: Create a Pod with auto-naming
runtime: yaml
resources:
pod:
type: kubernetes:core/v1:Pod
properties:
metadata:
annotations:
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
type: kubernetes:core/v1:Pod
---
name: yaml-example
description: Create a Pod with auto-naming
runtime: yaml
resources:
pod:
type: kubernetes:core/v1:Pod
properties:
metadata:
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
type: kubernetes:core/v1:Pod
---
name: yaml-example
description: Create a Pod with auto-naming
runtime: yaml
resources:
pod:
type: kubernetes:core/v1:Pod
properties:
metadata:
annotations:
container.notapparmor.security.beta.kubernetes.io: localhost/k8s-apparmor-example-allow-write
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
type: kubernetes:core/v1:Pod
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
name: yaml-example
description: Create a Pod with auto-naming
runtime: yaml
resources:
pod:
type: kubernetes:core/v1:Pod
properties:
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io: localhost/k8s-apparmor-example-allow-write
container.apparmor.security.beta.kubernetes.io2: localhost/k8s-apparmor-example-allow-write
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
type: kubernetes:core/v1:Pod