@@ -419,6 +419,44 @@ securityContext:
419419 localhostProfile: my-profiles/profile-allow.json
420420` ` `
421421
422+ # # Set the AppArmor Profile for a Container
423+
424+ To set the AppArmor profile for a Container, include the `appArmorProfile` field
425+ in the `securityContext` section of your Container. The `appArmorProfile` field
426+ is a
427+ [AppArmorProfile](/docs/reference/generated/kubernetes-api/{{< param "version"
428+ >}}/#apparmorprofile-v1-core) object consisting of `type` and `localhostProfile`.
429+ Valid options for `type` include `RuntimeDefault`(default), `Unconfined`, and
430+ ` Localhost` . `localhostProfile` must only be set if `type` is `Localhost`. It
431+ indicates the name of the pre-configured profile on the node. The profile needs
432+ to be loaded onto all nodes suitable for the Pod, since you don't know where the
433+ pod will be scheduled.
434+ Approaches for setting up custom profiles are discussed in
435+ [Setting up nodes with profiles](/docs/tutorials/security/apparmor/#setting-up-nodes-with-profiles).
436+
437+ Here is an example that sets the AppArmor profile to the node's container runtime
438+ default profile :
439+
440+ ` ` ` yaml
441+ ...
442+ securityContext:
443+ appArmorProfile:
444+ type: RuntimeDefault
445+ ` ` `
446+
447+ Here is an example that sets the AppArmor profile to a pre-configured profile
448+ named `k8s-apparmor-example-deny-write` :
449+
450+ ` ` ` yaml
451+ ...
452+ securityContext:
453+ appArmorProfile:
454+ type: Localhost
455+ localhostProfile: k8s-apparmor-example-deny-write
456+ ` ` `
457+
458+ For more details please see, [Restrict a Container's Access to Resources with AppArmor](/docs/tutorials/security/apparmor/).
459+
422460# # Assign SELinux labels to a Container
423461
424462To assign SELinux labels to a Container, include the `seLinuxOptions` field in
0 commit comments