UNCLASSIFIED - NO CUI

Skip to content

Disable App Armor Profile Constraint

Cassie Souza requested to merge app-armor-profiles-deny into main

Description

The original intention of the ticket was to set the default Enforcement Action to deny for the App Armor profiles constraint.

Issues Discovered

AppArmor typically applies to Linux distros derived from Debian (e.g. Ubuntu). SELinux is the equivalent technology applied to Linux distros derived from Fedora (e.g. RedHat). Currently, all of our Iron Bank containers are either distroless or RHEL UBI. So, none of them will have AppArmor.

Resolution

Unfortunately, the constraint is not useful since it does not have the ability to "ignore" non-Debian distro containers. So, we will be disabling this constraint completely in OPA Gatekeeper until we need it in the future.

Issue

This MR is to related to issue #58

Edited by Michael McLeroy

Merge request reports

Loading