Hi,
Creating the POD with this yaml file,
apiVersion: v1
kind: Pod
metadata:
labels:
run: nginx
name: frontend-site
namespace: omni
spec:
securityContext:
appArmorProfile: # Apply apparmor profle
localhostProfile: restricted-frontend
type: Localhost
serviceAccount: frontend-default # Use the service account with least privileges
containers:
- image: nginx:alpine
name: nginx
volumeMounts:
- mountPath: /usr/share/nginx/html
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /data/pages
type: Directory
After creating, still i am able to access the /internal link,
the apparmor profile is loaded. please advise, if i am missing any step.
If at all possible, please paste your code again, but in a code block, like this:
type or paste code here:
- indentation will be preserved
- "quote marks like 'these' won't be corrupted"
I’ll take a look at your sample, but it’s very hard to tell correct YAML from incorrect YAML when you pasted it outside of a code block. Use the </> button to create a block, and paste into it.
Code is extracted from this link
https://github.com/kodekloudhub/certified-kubernetes-security-specialist-cks-course/blob/main/docs/08-Mock-Exams/02-Mock-Exam-1.md
apiVersion: v1
kind: Pod
metadata:
labels:
run: nginx
name: frontend-site
namespace: omni
spec:
securityContext:
appArmorProfile: # Apply apparmor profle
localhostProfile: restricted-frontend
type: Localhost
serviceAccount: frontend-default # Use the service account with least privileges
containers:
- image: nginx:alpine
name: nginx
volumeMounts:
- mountPath: /usr/share/nginx/html
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /data/pages
type: Directory
There are two possible problems:
- Did you use apparmor_parse to load the profile?
- It’s possible that there’s an extra
securityContext: {} lower in the file than the one you modified. This was a problem when I tried it, and the fix was to remove that.
If you do both those things, it should work; it did for me just now.
I managed to fix it, thanks for your assistance