docker
Kubernetes apparmor annotation deprecated since kubernetes v1.30
Contributing guidelines
- [x] I've read the contributing guidelines and wholeheartedly agree
I've found a bug and checked that ...
- [x] ... the documentation does not mention anything about my problem
- [x] ... there are no open or closed issues that are related to my problem
Description
When starting buildx with the kubernetes driver on a kubernetes cluster version v1.31 the command throws the following warning:
warnings.go:70] spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/buildkitd]: deprecated since v1.30; use the "appArmorProfile" field instead
Expected behaviour
There should be no warning in the docker buildx --driver kubernetes output
Actual behaviour
The command throws a warning:
W0528 07:54:48.294930 187 warnings.go:70] spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/buildkitd]: deprecated since v1.30; use the "appArmorProfile" field instead
Buildx version
github.com/docker/buildx v0.24.0 d0e5e86c8b88ae4865040bc96917c338f4dd673c
Docker info
Client:
Version: 28.1.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.24.0
Path: /usr/local/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.36.2
Path: /usr/local/libexec/docker/cli-plugins/docker-compose
Builders list
None, this is ran within a pipeline, and the runners are (for now) spawned and killed within the same step, so they are not kept around
Configuration
Not applicable, any Dockerfile will produce this warning.
FROM scratch
Build logs
Additional info
According to the documentation since v1.30 the securityContext.appArmorProfile is used instead of an annotation.
Prior to Kubernetes v1.30, AppArmor was specified through annotations.
The annotation seems to be set here, I'm not sure how to make it use the securityContext instead so I won't be able to provide a PR.
https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/24-apparmor/README.md#removing-annotation-support
The deprecated annotation still remains functional, at least until v1.36 apparently
Still only one year has passed since the release of v1.30, but probably it is fine to just drop the support for v1.29 and older ones, as they have already reached the EOL? https://endoflife.date/kubernetes
@AkihiroSuda I'm not sure what is the policy for keeping support of the old kubernetes versions.
Some providers give extended support for some versions, like EKS, which still supports kubernetes back to version 1.26.
But the securityContext field seems to have been declared stable back in 1.26, so making this change shouldn't be a problem even on the clusters running the oldest extended support of EKS.
Kubernetes 1.26 was released back in December 2022.
But the securityContext field seems to have been declared stable back in 1.26, so making this change shouldn't be a problem even on the clusters running the oldest extended support of EKS.
No, the AppArmor fields was introduced in v1.30
- https://github.com/kubernetes/kubernetes/pull/123435
@AkihiroSuda 🤦 thanks for the correction. I misread the doc. Ok, so in that case it can be an issue with the old extended support versions on some cloud providers.