KEP-24: Graduate Kubernetes' support for AppArmor to GA.

Signed-off-by: Vinayak Goyal <[email protected]>
kubernetes · Jul 3, 2024 · 9849cce · 9849cce
1 parent dd0de2f
commit 9849cce
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 1 deletion.
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/apparmor.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/apparmor.md
@@ -9,6 +9,10 @@ stages:
   - stage: beta
     defaultValue: true
     fromVersion: "1.4"
+    toVersion: "1.30"
+  - stage: stable
+    defaultValue: true
+    fromVersion: "1.31"
 ---
 Enable use of AppArmor mandatory access control for Pods running on Linux nodes.
 See [AppArmor Tutorial](/docs/tutorials/security/apparmor/) for more details.
diff --git a/content/en/docs/tasks/configure-pod-container/security-context.md b/content/en/docs/tasks/configure-pod-container/security-context.md
@@ -419,6 +419,43 @@ securityContext:
     localhostProfile: my-profiles/profile-allow.json
 ```
 
+## Set the AppArmor Profile for a Container
+
+To set the AppArmor profile for a Container, include the `appArmorProfile` field
+in the `securityContext` section of your Pod or Container manifest. The
+`appArmorProfile` field is a
+[AppArmorProfile](/docs/reference/generated/kubernetes-api/{{< param "version"
+>}}/#apparmorprofile-v1-core) object consisting of `type` and `localhostProfile`.
+Valid options for `type` include `RuntimeDefault`, `Unconfined`, and
+`Localhost`. `localhostProfile` must only be set if `type: Localhost`. It
+indicates the name of the pre-configured profile on the node. The profile needs
+to loaded onto all nodes, since you don't know where the pod will be scheduled. 
+Approaches of setting up custom profiles are discussed in
+[Setting up nodes with profiles](/docs/tutorials/security/apparmor/#setting-up-nodes-with-profiles). 
+
+Here is an example that sets the AppArmor profile to the node's container runtime
+default profile:
+
+```yaml
+...
+securityContext:
+  appArmorProfile:
+    type: RuntimeDefault
+```
+
+Here is an example that sets the AppArmor profile to a pre-configured profile
+named `k8s-apparmor-example-deny-write`:
+
+```yaml
+...
+securityContext:
+  appArmorProfile:
+    type: Localhost
+    localhostProfile: k8s-apparmor-example-deny-write
+```
+
+For more details please see, [Restrict a Container's Access to Resources with AppArmor](/docs/tutorials/security/apparmor/).
+
 ## Assign SELinux labels to a Container
 
 To assign SELinux labels to a Container, include the `seLinuxOptions` field in

diff --git a/content/en/docs/tutorials/_index.md b/content/en/docs/tutorials/_index.md
@@ -49,7 +49,7 @@ Before walking through each tutorial, you may want to bookmark the
 
 * [Apply Pod Security Standards at Cluster level](/docs/tutorials/security/cluster-level-pss/)
 * [Apply Pod Security Standards at Namespace level](/docs/tutorials/security/ns-level-pss/)
-* [AppArmor](/docs/tutorials/security/apparmor/)
+* [Restrict a Container's Access to Resources with AppArmor](/docs/tutorials/security/apparmor/)
 * [Seccomp](/docs/tutorials/security/seccomp/)
 ## {{% heading "whatsnext" %}}