Doubt on the CKS challenge `

Himanshu-Gaikwad · August 27, 2025, 7:58am

I have a doubt regarding the appArmor question in CKS challenge 1.

here’s my deployment spec:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: alpha-xyz
  name: alpha-xyz
  namespace: alpha
spec:
  selector:
    matchLabels:
      app: alpha-xyz
  template:
      labels:
        app: alpha-xyz
    spec:
      containers:
      - image: docker.io/library/nginx:alpine
        name: nginx
      securityContext:
        appArmorProfile:
          localhostProfile: custom-nginx
          type: Localhost

And I can see the policy getting applied on the pod when I describe the pod but the diagram still shows a red mark on Policy to pod.

I have loaded the profile correctly and I can see it in apparmor_status as well.

Santosh_KodeKloud · August 27, 2025, 8:47am

Hi @Himanshu-Gaikwad

Your Deployment manifest is a bit off. The template labels should be nested within metadata: template.metadata. labels.

And, the securityContext for AppArmor should be within the containers list.

This would need Volumes and VolumeMounts as well.

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: alpha-xyz
  name: alpha-xyz
  namespace: alpha
spec:
  replicas: 1
  selector:
    matchLabels:
      app: alpha-xyz
  template:
    metadata:
      labels:
        app: alpha-xyz
    spec:
      containers:
      - image: nginx:alpine
        name: nginx
        securityContext:
          appArmorProfile:
            type: Localhost
            localhostProfile: custom-nginx