Can someone please help me how the solution was coming to the below yaml?
apiVersion: v1
kind: Pod
metadata:
labels:
run: nginx
name: frontend-site
namespace: omni
spec:
securityContext:
appArmorProfile:
type: Localhost
localhostProfile: restricted-frontend
serviceAccountName: frontend-default #Use the service account with least privileges
containers:
- image: nginx:alpine
name: nginx
volumeMounts:- mountPath: /usr/share/nginx/html
name: test-volume
volumes:
- mountPath: /usr/share/nginx/html
- name: test-volume
hostPath:
path: /data/pages
type: Directory
Below are the steps i followed:
Step 1: since the pod yaml is not given i have taken the existing pod to yaml using the below command
k get pod -n omni frontend-site -oyaml>q1pod.yaml
Step 2: I have defined the service account name as frontend-default as it has the least amount of priviliges.
Step 3: applied the apparmor first loaded apparmor file using apparmor_parser -q /etc/apparmor.d/frontend
Step 4: Deleted the service account volumeMounts
Step 5: Below is the existing output yaml that was defined. But the site is still not restricted.
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: “2025-05-22T12:18:10Z”
labels:
run: nginx
name: frontend-site
namespace: omni
resourceVersion: “12398”
uid: 8859ac31-8681-4b80-97a4-fbfbe7c8355e
spec:
containers:
- image: nginx:alpine
imagePullPolicy: IfNotPresent
name: nginx
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:- mountPath: /usr/share/nginx/html
name: test-volume - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-tbghm
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
nodeName: controlplane
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: frontend-default
serviceAccountName: frontend-default
terminationGracePeriodSeconds: 30
tolerations:
- mountPath: /usr/share/nginx/html
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300 - effect: NoExecute