On the Cluster worker node, enforce the prepared AppArmor profile#include  profile nginx-deny flags=(attach_disconnected) {  #include...

On the Cluster worker node, enforce the prepared AppArmor profile

#include

 

profile nginx-deny flags=(attach_disconnected) {

  #include

 

  file,

 

  # Deny all file writes.

  deny /** w,

}

EOF'

Edit the prepared manifest file to include the AppArmor profile.

apiVersion: v1

kind: Pod

metadata:

  name: apparmor-pod

spec:

  containers:

  - name: apparmor-pod

    image: nginx

Finally, apply the manifests files and create the Pod specified on it.

Verify: Try to make a file inside the directory which is restricted.