apparmor selector seems invalid for deployment type manifests

[brucelee138]

Describe the bug
kubesec scan uses the selector ".metadata .annotations ."container.apparmor.security.beta.kubernetes.io/nginx"" for apparmor. While this works fine for the kind "pod", it doesnt apply for the kind "deployment". (kubernetes/kubernetes#66216)
The selector should be rather ".spec.template.metadata.annotations:"container.apparmor.security.beta.kubernetes.io/nginx""

To Reproduce
Run Kubesec scan with a deployment manifest, fix apparmor warning and apply the manifest and it could be found that the apparmor is not honored by the pod.

Expected behaviour
Kubesec scan should handle apparmor selector for deployment differently, else it would report false positives.

apiVersion: apps/v1 kind: Deployment spec: selector: matchLabels: app: dummy template: metadata: annotations: container.apparmor.security.beta.kubernetes.io/dummy: "runtime/default"
master-0-project-stack:~> kubectl describe po dummy-pod -n monitoring | grep -i app Labels: app=dummy Annotations: container.apparmor.security.beta.kubernetes.io/dummy: runtime/default
"advise": [ { "id": "ApparmorAny", "selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"", "reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY", "points": 3 },

[06kellyjac]

I think with changes to apparmor either this issue changes or it's resolved by #701
If not we can re-open this 🙂