-
Notifications
You must be signed in to change notification settings - Fork 314
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should apparmor always view unconfined as complaint? #475
Comments
Hi @fseldow! - Not specific to |
Hi @apeabody thx for discussion. The result change will happen only when input parameter does not include Will it also be viewed as breaking change? because from my side, it will not suddenly casue complaint resources to be non-complaint or deny the curd of pods |
Thanks for raising this @fseldow! +1 to adding a new parameter in the policy to enable this behavior to allow compliance for unconfined, while ensuring the default behavior when the new parameter is no set is non compliant. |
This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
Hi gatekeeper-library,
In apparmor constraint template, we setup the rule to block container using apparmor not existed in the parameter
allowedProfiles
https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/pod-security-policy/apparmor/template.yaml
However, in the apparmor api doc, it is said
unconfined to indicate that no profiles will be loaded
So will it be reasonable to view unconfined as always complaint even if theallowedProfiles
is empty or without unconfined?The text was updated successfully, but these errors were encountered: