/* On supported hosts, the 'runtime/default' AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles. **Restricted Fields:** metadata.annotations['container.apparmor.security.beta.kubernetes.io/*'] **Allowed Values:** 'runtime/default', 'localhost/*', empty, undefined **Restricted Fields:** spec.securityContext.appArmorProfile.type spec.containers[*].securityContext.appArmorProfile.type spec.initContainers[*].securityContext.appArmorProfile.type spec.ephemeralContainers[*].securityContext.appArmorProfile.type **Allowed Values:** 'RuntimeDefault', 'Localhost', undefined */ func init() { … } // CheckAppArmorProfile returns a baseline level check // that limits the value of AppArmor profiles in 1.0+ func CheckAppArmorProfile() Check { … } func allowedAnnotationValue(profile string) bool { … } func allowedProfileType(profile corev1.AppArmorProfileType) bool { … } func appArmorProfile_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { … }