Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

install/kubernetes: add AppArmor profile to Cilium Daemonset #32199

Merged
merged 1 commit into from
Apr 29, 2024
Merged

install/kubernetes: add AppArmor profile to Cilium Daemonset #32199

merged 1 commit into from
Apr 29, 2024

Conversation

aanm
Copy link
Member

@aanm aanm commented Apr 26, 2024

Starting from k8s 1.30 together with Ubuntu 24.04, Cilium fails to initialize with the error:

Error: applying apparmor profile to container 43ed6b4ba299559e8eac46a32f3246d9c54aca71a9b460576828b662147558fa: empty localhost AppArmor profile is forbidden

This commit adds the "Unconfined" as default, where users can overwrite it with any of the AppArmor profiles available on their environments.

Fixes #32198

@aanm aanm added sig/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers. release-note/misc This PR makes changes that have no direct user impact. labels Apr 26, 2024
@aanm aanm requested review from a team as code owners April 26, 2024 08:09
@aanm aanm requested a review from nebril April 26, 2024 08:09
@aanm
Copy link
Member Author

aanm commented Apr 26, 2024

/test

@aanm aanm enabled auto-merge April 26, 2024 08:09
@aanm
Copy link
Member Author

aanm commented Apr 26, 2024

/test

@aanm aanm added affects/v1.13 This issue affects v1.13 branch affects/v1.14 This issue affects v1.14 branch affects/v1.15 This issue affects v1.15 branch needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels Apr 26, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.15.5 Apr 26, 2024
@aanm
Copy link
Member Author

aanm commented Apr 26, 2024

/test

@aanm aanm requested a review from a team as a code owner April 26, 2024 19:23
@aanm aanm requested a review from mhofstetter April 26, 2024 19:23
@aanm
Copy link
Member Author

aanm commented Apr 26, 2024

/test

@aanm
Copy link
Member Author

aanm commented Apr 26, 2024

/test

mhofstetter
mhofstetter approved these changes Apr 29, 2024
View reviewed changes
Copy link
Member

@mhofstetter mhofstetter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@aanm
Copy link
Member Author

aanm commented Apr 29, 2024

/test

@aanm
install/kubernetes: add AppArmor profile to Cilium Daemonset
cf972f9 
Starting from k8s 1.30 together with Ubuntu 24.04, Cilium fails to
initialize with the error:

```
Error: applying apparmor profile to container 43ed6b4ba299559e8eac46a32f3246d9c54aca71a9b460576828b662147558fa: empty localhost AppArmor profile is forbidden
```

This commit adds the "Unconfined" as default, where users can overwrite
it with any of the AppArmor profiles available on their environments, to
all the pods that have the "container.apparmor.security.beta.kubernetes.io"
annotations.

Signed-off-by: André Martins <andre@cilium.io>
@aanm
Copy link
Member Author

aanm commented Apr 29, 2024

/test

@aanm aanm added this pull request to the merge queue Apr 29, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 29, 2024
Merged via the queue into cilium:main with commit 2136418 Apr 29, 2024
62 of 64 checks passed
@aanm aanm deleted the pr/add-seccompprofile branch April 29, 2024 20:36
@pippolo84 pippolo84 mentioned this pull request May 6, 2024
Merged
14 tasks
@pippolo84 pippolo84 added backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. and removed needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels May 6, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.15 in 1.15.5 May 6, 2024
@jadedeane jadedeane mentioned this pull request May 8, 2024
Closed
3 tasks
@github-actions github-actions bot added backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. and removed backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. labels May 8, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed this from Backport pending to v1.15 in 1.15.5 May 8, 2024
@nebril nebril mentioned this pull request May 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nebril nebril nebril approved these changes

@mhofstetter mhofstetter mhofstetter approved these changes

Assignees
No one assigned
Labels
affects/v1.13 This issue affects v1.13 branch affects/v1.14 This issue affects v1.14 branch affects/v1.15 This issue affects v1.15 branch backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact. sig/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers.
Projects
No open projects
cilium v1.15.5
Status: Released
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cilium pod got Init:CreateContainerError on Ubuntu 24.04, k8s 1.30
4 participants
@aanm @nebril @mhofstetter @pippolo84