AppArmor documentation

kubernetes · Aug 31, 2016 · df2698c · df2698c
1 parent 2262731
commit df2698c
Show file tree

Hide file tree

Showing 4 changed files with 416 additions and 0 deletions.
diff --git a/_data/guides.yml b/_data/guides.yml
@@ -284,3 +284,5 @@ toc:
     path: /docs/admin/salt/
   - title: Monitoring Node Health
     path: /docs/admin/node-problem/
+  - title: AppArmor
+    path: /docs/admin/apparmor/
diff --git a/docs/admin/apparmor/deny-write.profile b/docs/admin/apparmor/deny-write.profile
@@ -0,0 +1,10 @@
+#include <tunables/global>
+
+profile k8s-apparmor-example-deny-write flags=(attach_disconnected) {
+  #include <abstractions/base>
+
+  file,
+
+  # Deny all file writes.
+  deny /** w,
+}
diff --git a/docs/admin/apparmor/hello-apparmor-pod.yaml b/docs/admin/apparmor/hello-apparmor-pod.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hello-apparmor
+  annotations:
+    # Tell Kubernetes to apply the AppArmor profile "k8s-apparmor-example-deny-write".
+    # Note that this is ignored if the Kubernetes node is not running version 1.4 or greater.
+    container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-deny-write
+spec:
+  containers:
+  - name: hello
+    image: busybox
+    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]