docker-default profile Deny kubelet kill signal when confined #42544

yacAk · 2021-06-21T19:22:27Z

Description
We are trying to confine Kubelet in an apparmor profile, we notcied that when kubelet tries to send a kill signal to a docker container that was under the docker-default apparmor profile. the signal is blocked.

Steps to reproduce the issue:

create apparmor profile for kubelet
schedule kubernetes crontab job with container using docker-default apprmor profile

Describe the results you received:

type=AVC msg=audit(1624302097.850:235338): apparmor="DENIED" operation="signal" profile="docker-default" pid=62086 comm="kubelet" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/bin/kubelet"
type=AVC msg=audit(1624302097.850:235339): apparmor="DENIED" operation="signal" profile="docker-default" pid=62086 comm="kubelet" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/bin/kubelet"
type=AVC msg=audit(1624302097.850:235340): apparmor="DENIED" operation="signal" profile="docker-default" pid=62086 comm="kubelet" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/bin/kubelet"
type=AVC msg=audit(1624302097.850:235341): apparmor="DENIED" operation="signal" profile="docker-default" pid=62086 comm="kubelet" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/bin/kubelet"
type=AVC msg=audit(1624302097.850:235342): apparmor="DENIED" operation="signal" profile="docker-default" pid=62086 comm="kubelet" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/bin/kubelet"

Describe the results you expected:
the signal should be accepted and not denied when kubelet is confined

Additional information you deem important (e.g. issue happens only occasionally):
we tried using kubernetes v1.19.11
Output of docker version:

Client:
 Version:           18.09.2
 API version:       1.39
 Go version:        go1.10.6
 Git commit:        6247962
 Built:             Sun Feb 10 04:13:47 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.2
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.6
  Git commit:       6247962
  Built:            Sun Feb 10 03:42:13 2019
  OS/Arch:          linux/amd64
  Experimental:     false

Additional environment details (AWS, VirtualBox, physical, etc.):
OS Ubuntu 18.04.5 LTS

The text was updated successfully, but these errors were encountered:

thaJeztah added area/security/apparmor version/18.09 labels Jun 21, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

docker-default profile Deny kubelet kill signal when confined #42544

docker-default profile Deny kubelet kill signal when confined #42544

yacAk commented Jun 21, 2021 •

edited

docker-default profile Deny kubelet kill signal when confined #42544

docker-default profile Deny kubelet kill signal when confined #42544

Comments

yacAk commented Jun 21, 2021 • edited

yacAk commented Jun 21, 2021 •

edited