[cilium] Move AppArmor podAnnotations to a non-Talos-only values file
E2E revealed that the kube-apiserver rejects a DaemonSet carrying a
per-container AppArmor annotation for a container that is not present
in the pod spec:
DaemonSet.apps 'cilium' is invalid:
spec.template.annotations[container.apparmor.security.beta.kubernetes.io/mount-cgroup]:
Invalid value: 'mount-cgroup': container not found
On Talos (isp-full bundle) values-talos.yaml sets
cgroup.autoMount.enabled=false, so the upstream chart does not render
the mount-cgroup init container, and our unconditional podAnnotations
entry for it becomes an invalid reference.
Move the podAnnotations block from the shared values.yaml into a new
values-apparmor.yaml and include it only in the cilium-generic and
kubeovn-cilium-generic PackageSource variants, where
cgroup.autoMount.enabled is explicitly true. Talos variants
(cilium, cilium-kilo, kubeovn-cilium) get no AppArmor annotations,
which is safe because the Talos kernel does not load the AppArmor
LSM anyway.
Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
(cherry picked from commit abd6667eb3)
This commit is contained in:
parent
b0ca7ce577
commit
5fc12d44b7
3 changed files with 22 additions and 20 deletions
|
|
@ -66,6 +66,7 @@ spec:
|
|||
path: system/cilium
|
||||
valuesFiles:
|
||||
- values.yaml
|
||||
- values-apparmor.yaml
|
||||
install:
|
||||
privileged: true
|
||||
namespace: cozy-cilium
|
||||
|
|
@ -117,6 +118,7 @@ spec:
|
|||
path: system/cilium
|
||||
valuesFiles:
|
||||
- values.yaml
|
||||
- values-apparmor.yaml
|
||||
- values-kubeovn.yaml
|
||||
install:
|
||||
privileged: true
|
||||
|
|
|
|||
20
packages/system/cilium/values-apparmor.yaml
Normal file
20
packages/system/cilium/values-apparmor.yaml
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
cilium:
|
||||
# Opt out of the cri-containerd.apparmor.d profile for containers that invoke
|
||||
# nsenter to join the host cgroup/mount namespace. The kernel reports the
|
||||
# denial as a blocked "ptrace" operation. Required on Ubuntu 22.04+ and
|
||||
# other distros that load this AppArmor profile by default, where the
|
||||
# denial otherwise puts cilium-agent into Init:CrashLoopBackOff.
|
||||
# The deprecated annotations are used because k8s >= 1.30 pod-level
|
||||
# appArmorProfile: Unconfined is not honoured by containerd CRI today
|
||||
# (kubernetes/kubernetes#125069).
|
||||
# Only applied on non-Talos cilium variants where cgroup.autoMount.enabled is
|
||||
# true — on Talos mount-cgroup is not rendered and the kube-apiserver would
|
||||
# reject an annotation referencing a non-existent container.
|
||||
# mount-bpf-fs is intentionally excluded: it renders with its own
|
||||
# securityContext.privileged=true, and the kernel does not apply AppArmor
|
||||
# profiles to privileged containers.
|
||||
podAnnotations:
|
||||
container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
|
||||
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
|
||||
container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined
|
||||
container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
|
||||
|
|
@ -23,23 +23,3 @@ cilium:
|
|||
operator:
|
||||
rollOutPods: true
|
||||
replicas: 1
|
||||
# Opt out of the cri-containerd.apparmor.d profile for containers that invoke
|
||||
# nsenter to join the host cgroup/mount namespace. The kernel reports the
|
||||
# denial as a blocked "ptrace" operation. Required on Ubuntu 22.04+ and
|
||||
# other distros that load this AppArmor profile by default, where the
|
||||
# denial otherwise puts cilium-agent into Init:CrashLoopBackOff.
|
||||
# The deprecated annotations are used because k8s >= 1.30 pod-level
|
||||
# appArmorProfile: Unconfined is not honoured by containerd CRI today
|
||||
# (kubernetes/kubernetes#125069).
|
||||
# On Talos mount-cgroup is not rendered (cgroup.autoMount.enabled=false in
|
||||
# values-talos.yaml) so its annotation is inert there. On RHEL-family and
|
||||
# other AppArmor-less hosts kubelet silently ignores these annotations
|
||||
# because the AppArmor LSM is not loaded.
|
||||
# mount-bpf-fs is intentionally excluded: it renders with its own
|
||||
# securityContext.privileged=true, and the kernel does not apply AppArmor
|
||||
# profiles to privileged containers.
|
||||
podAnnotations:
|
||||
container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
|
||||
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
|
||||
container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined
|
||||
container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue