As AppArmor is still in beta, you specify the metadata as annotations and not as bonafide fields; when it gets out of beta that will change.
To apply a profile to a container, add the following annotation:
container.apparmor.security.beta.kubernetes.io/<container-name>: <profile-ref>
The pofile reference can be either the default profile, runtime/default, or a profile file on the host localhost/<profile-name>.
Here is a sample profile that prevents writing to files:
#include <tunables/global> profile k8s-apparmor-example-deny-write flags=(attach_disconnected) { #include <abstractions/base> file, # Deny all file writes. deny /** w, }
AppArmor is not a Kubernetes resource, so the format is not the YAML or JSON you're familiar with.
To verify that the profile was attached correctly, check the attributes of process 1:
kubectl exec <pod-name> cat /proc/1/attr/current
Pods can be scheduled on any node in the cluster by default. This means the profile should be loaded into every node. This is a classic use case for DaemonSet.