Missing AppArmor Profile

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-workload-011
  labels:
    severity: "medium"
    category: "workload"
  annotations:
    rules.spotter.dev/title: "Missing AppArmor Profile"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-284"
    rules.spotter.dev/description: "Pods should define an AppArmor profile to restrict container capabilities and enhance security."
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
          - ""
          - "apps"
        versions:
          - "v1"
        kinds:
          - Pod
          - Deployment
          - StatefulSet
          - DaemonSet
        namespaces:
          include: ["*"]
          exclude: ["kube-system", "kube-public"]
        labels:
          exclude:
            rules.spotter.dev/ignore: ["true"]
  cel: |
    (object.kind == 'Pod' && (
      !has(object.metadata.annotations) ||
      (has(object.spec.containers) && object.spec.containers.exists(c,
        !('container.apparmor.security.beta.kubernetes.io/' + c.name in object.metadata.annotations) ||
        object.metadata.annotations['container.apparmor.security.beta.kubernetes.io/' + c.name] == 'dummy'
      )) ||
      (has(object.spec.initContainers) && object.spec.initContainers.exists(c,
        !('container.apparmor.security.beta.kubernetes.io/' + c.name in object.metadata.annotations) ||
        object.metadata.annotations['container.apparmor.security.beta.kubernetes.io/' + c.name] == 'dummy'
      ))
    )) ||
    (object.kind != 'Pod' && (
      !has(object.spec.template.metadata.annotations) ||
      (has(object.spec.template.spec.containers) && object.spec.template.spec.containers.exists(c,
        !('container.apparmor.security.beta.kubernetes.io/' + c.name in object.spec.template.metadata.annotations) ||
        object.spec.template.metadata.annotations['container.apparmor.security.beta.kubernetes.io/' + c.name] == 'dummy'
      )) ||
      (has(object.spec.template.spec.initContainers) && object.spec.template.spec.initContainers.exists(c,
        !('container.apparmor.security.beta.kubernetes.io/' + c.name in object.spec.template.metadata.annotations) ||
        object.spec.template.metadata.annotations['container.apparmor.security.beta.kubernetes.io/' + c.name] == 'dummy'
      ))
    ))
  remediation:
    manual: "Add an AppArmor annotation to the pod or pod template, specifying a profile (e.g., `container.apparmor.security.beta.kubernetes.io/my-container: runtime/default`)."
  references:
    - title: "Kubernetes AppArmor"
      url: "https://kubernetes.io/docs/tutorials/security/apparmor/"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: hello-apparmor-1
      annotations:
        container.apparmor.security.beta.kubernetes.io/hello1: dummy
        container.apparmor.security.beta.kubernetes.io/hello2: dummy
    spec:
      containers:
      - name: hello1
        image: busybox
        command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
      - name: hello2
        image: busybox
        command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
      - name: hello3
        image: busybox
        command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
- name: insecure sample 2 should fail
  pass: false
  input: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: ubuntu-test1
      namespace: testns
      labels:
        deployment: ubuntu-1
    spec:
      replicas: 1
      selector:
        matchLabels:
          container: ubuntu-1
      template:
        metadata:
          labels:
            container: ubuntu-1
          annotations:
            container.apparmor.security.beta.kubernetes.io/ubuntu-1-container: dummy
        spec:
          containers:
          - name: ubuntu-1-container
            image: 0x010/ubuntu-w-utils:latest
- name: secure sample 1 should pass
  pass: true
  input: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: hello-apparmor-2positive
      annotations:
        container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-allow-write
    spec:
      containers:
      - name: hello
        image: busybox
        command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-workload-011
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-workload-011
spec:
  # Add your VAP configuration here

Rule Metadata

Missing AppArmor Profile

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub