-
Notifications
You must be signed in to change notification settings - Fork 52
/
apparmor.yaml
43 lines (43 loc) · 2.26 KB
/
apparmor.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# Copyright 2024 Google LLC
#
# This is “Software” that is licensed under the “General Software” section of
# the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
# usage in accordance with the following “Scope of Use”: This file may only be
# used on an Anthos cluster, including any associated ci/cd use. “Anthos
# cluster” is defined as “A Cluster (of any kind) registered to a fleet project
# where the Anthos API is enabled”.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: cis-gke-v1.5.0-apparmor
labels:
policycontroller.gke.io/bundleName: cis-gke-v1.5.0
annotations:
policycontroller.gke.io/bundleVersion: "202405.0"
policycontroller.gke.io/constraintData: |-
"{
bundleName: 'cis-gke-v1.5.0',
bundleDisplayName: 'CIS GKE Benchmark v1.5.0',
bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-gke-v1.5',
bundleVersion: '202405.0',
bundleDescription: 'Use the CIS GKE Benchmark 1.5.0 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS GKE Benchmark v1.5.0, which is a set of recommendations for configuring GKE to support a robust security posture.',
controlNumbers: '[4.2.1]',
severity: 'UNSPECIFIED',
description: 'On supported hosts, the `runtime/default` AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles. See "Pod Security Standards" for more information: https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline',
remediation: 'Pods must use an AppArmor profile listed in the `allowedProfiles` field. Use a different AppArmor profile. See "AppArmor" for more information: https://kubernetes.io/docs/tutorials/clusters/apparmor/',
minimumTemplateLibraryVersion: '1.11.1',
constraintHash: '6af931d883888cd7ffcdf13de495be6aead9aca249c62cb2d1786e1f55d31727'
}"
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedProfiles:
- runtime/default
- localhost/*
- ""