Skip to content

Commit 719bcb7

Browse files
authored
fix(k3s): allow all signal operations in AppArmor profile for pod termination (#76)
Replaced restrictive signal receive rules with unrestricted `signal,` rule so runc can send SIGTERM/SIGKILL to container init processes during pod termination.
1 parent b74edcc commit 719bcb7

3 files changed

Lines changed: 10 additions & 5 deletions

File tree

CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
77

88
## [Unreleased]
99

10+
## [1.3.11] - 2026-03-31
11+
12+
### Fixed
13+
14+
- Replaced restrictive AppArmor signal rules (`signal (receive) peer=unconfined` and `signal (receive) peer=cri-containerd.apparmor.d`) with unrestricted `signal,` in k3s security profile; runc requires full signal capabilities (send/receive) to deliver SIGTERM/SIGKILL to container init processes during pod termination
15+
1016
## [1.3.10] - 2026-03-28
1117

1218
### Fixed

galaxy.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
namespace: arillso
33
name: container
4-
version: 1.3.10
4+
version: 1.3.11
55
readme: README.md
66

77
authors:

roles/k3s/tasks/security.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -145,10 +145,9 @@
145145
file,
146146
umount,
147147
148-
# Host (privileged) processes may send signals to container processes.
149-
signal (receive) peer=unconfined,
150-
# Manager may send signals to container processes.
151-
signal (receive) peer=cri-containerd.apparmor.d,
148+
# Allow all signal operations (send/receive) — required for runc to
149+
# signal container init processes (SIGTERM/SIGKILL) during pod termination.
150+
signal,
152151
153152
deny @{PROC}/* w,
154153
deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,

0 commit comments

Comments
 (0)