Creating a sample apparmor profile apparmor_parser -q <<EOF #include <tunables/global> profile k8s-apparmor-example-deny-write flags=(attach_disconnected) { #include <abstractions/base> file, # Deny all file writes. deny /** w, } EOF Verifying the profile status aa-status Create a demo YAML based on Host cd /root/apparmor1 vi pod-app-armor.yaml apiVersion: v1 kind: Pod metadata: name: pod-app-armor annotations: container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-deny-write spec: containers: - name: hello image: busybox command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ] kubectl apply -f pod-app-armor.yaml Verifying kubectl exec -it pod-app-armor -- sh touch /tmp/file.yml