Add AppArmor Annotations

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: add-apparmor-annotations
 5  annotations:
 6    policies.kyverno.io/title: Add AppArmor Annotations
 7    policies.kyverno.io/category: PSP Migration
 8    policies.kyverno.io/subject: Pod,Annotation
 9    kyverno.io/kyverno-version: 1.10.0
10    kyverno.io/kubernetes-version: "1.24"
11    pod-policies.kyverno.io/autogen-controllers: none
12    policies.kyverno.io/description: >-
13      In the earlier Pod Security Policy controller, it was possible to define
14      a setting which would enable AppArmor for all the containers within a Pod so
15      they may be assigned the desired profile. Assigning an AppArmor profile, accomplished
16      via an annotation, is useful in that it allows secure defaults to be defined and may
17      also result in passing other validation rules such as those in the Pod Security Standards.
18      This policy mutates Pods to add an annotation for every container to enabled AppArmor
19      at the runtime/default level.
20spec:
21  rules:
22  - name: apparmor-runtime-default
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod
28    preconditions:
29      all:
30      - key: "{{request.operation || 'BACKGROUND'}}"
31        operator: AnyIn
32        value:
33          - CREATE
34          - UPDATE
35    mutate:
36      foreach:
37      - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
38        patchStrategicMerge:
39          metadata:
40            annotations:
41              container.apparmor.security.beta.kubernetes.io/{{element.name}}: runtime/default