[cilium] Harden vendoring guard and clarify Talos annotation comment

- Broaden the grep guard in the Makefile update: target to match any
  container.apparmor.security.beta.kubernetes.io key, not only the
  quoted cilium-agent line. The previous pattern would silently pass
  if upstream switched to an unquoted annotation value, masking a
  failed perl patch; grepping for the prefix catches any residual
  hardcoded AppArmor annotation regardless of format.

- Rewrite the values.yaml comment to distinguish the two Talos-safe
  reasons: mount-cgroup is simply not rendered when
  cgroup.autoMount.enabled is false (Talos default), while the other
  annotations are harmless because kubelet ignores AppArmor metadata
  on nodes without the LSM loaded.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
(cherry picked from commit fc9ef55c42)
This commit is contained in:
Aleksei Sviridkin 2026-04-11 15:20:55 +03:00 committed by github-actions[bot]
parent caacf92507
commit b0ca7ce577
2 changed files with 8 additions and 5 deletions

View file

@ -18,7 +18,7 @@ update:
# produce duplicate mapping keys on k8s<1.30.
perl -i -0pe 's|\n \{\{- if not \.Values\.securityContext\.privileged \}\}\n \{\{- if semverCompare "<1\.30\.0".*?\n \{\{- end \}\}\n \{\{- end \}\}\n \{\{- end \}\}||s' \
charts/cilium/templates/cilium-agent/daemonset.yaml
@! grep -q 'container\.apparmor\.security\.beta\.kubernetes\.io/cilium-agent: "unconfined"' \
@! grep -q 'container\.apparmor\.security\.beta\.kubernetes\.io' \
charts/cilium/templates/cilium-agent/daemonset.yaml || \
{ echo 'ERROR: perl patch did not remove the upstream AppArmor block from cilium-agent/daemonset.yaml (upstream template format may have changed)' >&2; exit 1; }
version=$$(awk '$$1 == "version:" {print $$2}' charts/cilium/Chart.yaml) && \

View file

@ -31,10 +31,13 @@ cilium:
# The deprecated annotations are used because k8s >= 1.30 pod-level
# appArmorProfile: Unconfined is not honoured by containerd CRI today
# (kubernetes/kubernetes#125069).
# Safe on Talos / RHEL family without AppArmor: kubelet ignores these
# annotations when the AppArmor LSM is not loaded.
# mount-bpf-fs is intentionally excluded: it runs as privileged, and the
# kernel does not apply AppArmor profiles to privileged containers.
# On Talos mount-cgroup is not rendered (cgroup.autoMount.enabled=false in
# values-talos.yaml) so its annotation is inert there. On RHEL-family and
# other AppArmor-less hosts kubelet silently ignores these annotations
# because the AppArmor LSM is not loaded.
# mount-bpf-fs is intentionally excluded: it renders with its own
# securityContext.privileged=true, and the kernel does not apply AppArmor
# profiles to privileged containers.
podAnnotations:
container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined