[cilium] Harden vendoring guard and clarify Talos annotation comment
- Broaden the grep guard in the Makefile update: target to match any
container.apparmor.security.beta.kubernetes.io key, not only the
quoted cilium-agent line. The previous pattern would silently pass
if upstream switched to an unquoted annotation value, masking a
failed perl patch; grepping for the prefix catches any residual
hardcoded AppArmor annotation regardless of format.
- Rewrite the values.yaml comment to distinguish the two Talos-safe
reasons: mount-cgroup is simply not rendered when
cgroup.autoMount.enabled is false (Talos default), while the other
annotations are harmless because kubelet ignores AppArmor metadata
on nodes without the LSM loaded.
Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
(cherry picked from commit fc9ef55c42)
This commit is contained in:
parent
caacf92507
commit
b0ca7ce577
2 changed files with 8 additions and 5 deletions
|
|
@ -18,7 +18,7 @@ update:
|
|||
# produce duplicate mapping keys on k8s<1.30.
|
||||
perl -i -0pe 's|\n \{\{- if not \.Values\.securityContext\.privileged \}\}\n \{\{- if semverCompare "<1\.30\.0".*?\n \{\{- end \}\}\n \{\{- end \}\}\n \{\{- end \}\}||s' \
|
||||
charts/cilium/templates/cilium-agent/daemonset.yaml
|
||||
@! grep -q 'container\.apparmor\.security\.beta\.kubernetes\.io/cilium-agent: "unconfined"' \
|
||||
@! grep -q 'container\.apparmor\.security\.beta\.kubernetes\.io' \
|
||||
charts/cilium/templates/cilium-agent/daemonset.yaml || \
|
||||
{ echo 'ERROR: perl patch did not remove the upstream AppArmor block from cilium-agent/daemonset.yaml (upstream template format may have changed)' >&2; exit 1; }
|
||||
version=$$(awk '$$1 == "version:" {print $$2}' charts/cilium/Chart.yaml) && \
|
||||
|
|
|
|||
|
|
@ -31,10 +31,13 @@ cilium:
|
|||
# The deprecated annotations are used because k8s >= 1.30 pod-level
|
||||
# appArmorProfile: Unconfined is not honoured by containerd CRI today
|
||||
# (kubernetes/kubernetes#125069).
|
||||
# Safe on Talos / RHEL family without AppArmor: kubelet ignores these
|
||||
# annotations when the AppArmor LSM is not loaded.
|
||||
# mount-bpf-fs is intentionally excluded: it runs as privileged, and the
|
||||
# kernel does not apply AppArmor profiles to privileged containers.
|
||||
# On Talos mount-cgroup is not rendered (cgroup.autoMount.enabled=false in
|
||||
# values-talos.yaml) so its annotation is inert there. On RHEL-family and
|
||||
# other AppArmor-less hosts kubelet silently ignores these annotations
|
||||
# because the AppArmor LSM is not loaded.
|
||||
# mount-bpf-fs is intentionally excluded: it renders with its own
|
||||
# securityContext.privileged=true, and the kernel does not apply AppArmor
|
||||
# profiles to privileged containers.
|
||||
podAnnotations:
|
||||
container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
|
||||
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue