From d3bd86ab53fca3b5663dcc0f29a07cb167f1e30e Mon Sep 17 00:00:00 2001
From: Qiming Teng <tengqim@cn.ibm.com>
Date: Mon, 6 Nov 2017 11:25:27 +0800
Subject: [PATCH] Document unconfined apparmor profile

---
 docs/tutorials/clusters/apparmor.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/tutorials/clusters/apparmor.md b/docs/tutorials/clusters/apparmor.md
index 81301a9b8a8bb..f61186b626880 100644
--- a/docs/tutorials/clusters/apparmor.md
+++ b/docs/tutorials/clusters/apparmor.md
@@ -132,6 +132,7 @@ specifies the profile to apply. The `profile_ref` can be one of:
 
 * `runtime/default` to apply the runtime's default profile
 * `localhost/<profile_name>` to apply the profile loaded on the host with the name `<profile_name>`
+* `unconfined` to indicate that no profiles will be loaded
 
 See the [API Reference](#api-reference) for the full details on the annotation and profile name formats.
 
@@ -410,6 +411,7 @@ Specifying the profile a container will run with:
 - `localhost/<profile_name>`: Refers to a profile loaded on the node (localhost) by name.
   - The possible profile names are detailed in the
     [core policy reference](http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Profile_names_and_attachment_specifications).
+- `unconfined`: This effectively disables AppArmor on the container.
 
 Any other profile reference format is invalid.