Konrad Eriksson
Konrad Eriksson
> Since AppArmor landed with 1.7 kernel it probably makes sense to backport I think getting this in to v1.7 fits nicely with the bump to Kubernetes 1.30 that includes...
I tried to validate if this fixes the problem with AppArmor configured on Pod causing it to get stuck in `Pending` with message `Cannot enforce AppArmor: AppArmor is not enabled...
I will write down the steps needed. It does include loading a AppArmor profile (with `apparmor_parser` cmdline tool) via a (somewhat) privileged container. Where are the integration tests located today?
Here is a complete script for doing the test of both loading AppArmor profile into kernel and running a Pod with profile enabled. ``` #!/bin/sh NS=apparmor kubectl create namespace $NS...
I've located the error `failed to generate apparmor spec opts: apparmor is not supported` to be coming from `containerd` https://github.com/containerd/containerd/blob/release/1.7/pkg/cri/server/container_create_linux.go#L505 which at the core relies on `containerd`'s own check `apparmor.HostSupports()`...
I was actually thinking about adding empty /sbin/apparmor_parser to Talos rootfs to try but didn't have my build-instance up. Not sure either what the connection is between containerd and moby...
I tried to add empty `/sbin/apparmor_parser` via machine config but that wasn't allowed. ``` machine: files: - content: '' permissions: 0o555 path: /sbin/apparmor_parser op: create ``` Got this message during...
> @konrader we can put an empty `/sbin/apparmor_parser` to the rootfs if that helps, but I don't fully understand how it broke Moby? would it break some workloads on Talos...
I could reproduce the scenario with Kubernetes 1.30 running on a Ubuntu 22.04 when I uninstalled AppArmor userland tools (`apt remove apparmor` and reboot since containerd caches the AppArmor enabled...
It does not seem possible to disable automatic applying of a default AppArmor profile (called `cri-containerd.apparmor.d`) in `containerd` for containers started via CRI (the interface Kubernetes uses) and it has...