Missing App Armor Config

  • Query id: 95588189-1abd-4df1-9588-b0a5034f9e87
  • Query name: Missing App Armor Config
  • Platform: Pulumi
  • Severity: Medium
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

Containers should be configured with AppArmor for any application to reduce its potential attack
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
name: yaml-example
description: Create a Pod with auto-naming
runtime: yaml
resources:
  pod:
    type: kubernetes:core/v1:Pod
    properties:
      metadata:
        annotations:
      spec:
        containers:
          - image: nginx:1.14.2
            name: nginx
            ports:
             - containerPort: 80
        type: kubernetes:core/v1:Pod
---
name: yaml-example
description: Create a Pod with auto-naming
runtime: yaml
resources:
  pod:
    type: kubernetes:core/v1:Pod
    properties:
      metadata:
      spec:
        containers:
          - image: nginx:1.14.2
            name: nginx
            ports:
             - containerPort: 80
        type: kubernetes:core/v1:Pod
---
name: yaml-example
description: Create a Pod with auto-naming
runtime: yaml
resources:
  pod:
    type: kubernetes:core/v1:Pod
    properties:
      metadata:
        annotations:
          container.notapparmor.security.beta.kubernetes.io: localhost/k8s-apparmor-example-allow-write
      spec:
        containers:
          - image: nginx:1.14.2
            name: nginx
            ports:
             - containerPort: 80
        type: kubernetes:core/v1:Pod

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
name: yaml-example
description: Create a Pod with auto-naming
runtime: yaml
resources:
  pod:
    type: kubernetes:core/v1:Pod
    properties:
      metadata:
        annotations:
          container.apparmor.security.beta.kubernetes.io: localhost/k8s-apparmor-example-allow-write
          container.apparmor.security.beta.kubernetes.io2: localhost/k8s-apparmor-example-allow-write
      spec:
        containers:
          - image: nginx:1.14.2
            name: nginx
            ports:
             - containerPort: 80
        type: kubernetes:core/v1:Pod