search

Shopify / kubeaudit

kubeaudit helps you audit your Kubernetes clusters against common security controls
MIT License
1.89k stars 183 forks source link

Support AppArmor profile unconfined #442

Closed JWT95 closed 1 year ago

JWT95 commented 2 years ago
ISSUE TYPE

FEATURE IDEA

Proposal: At current kubeaudit does not support annotations of the form: container.apparmor.security.beta.kubernetes.io/<container>: unconfined. It errors with: Message: AppArmor is disabled. This can't be overriden because kubeaudit doesn't support apparmor override errors.

But the unconfined profile is supported by k8s and may be used for containers that need access to /proc but can't use localhost profiles.

kubeaudit should either support the unconfined profile or allow overrides for apparmor. I think the same applies for seccomp.

ghost commented 2 years ago

Thanks for opening your first issue here! Be sure to follow the issue template!

genevieveluyt commented 2 years ago

Why not both? 🙂 If you are interested in contributing, we would be happy to accept this change.

EDIT: Actually, since unconfined runs apparmor with no security profile, I think we want to discourage this. We should introduce an override label.