microk8s does not work in strict mode in Ubuntu 25.04Β #5140
Description
Summary
I have Ubuntu 25.10. Due to project requirements, I need to install juju, which requires microk8s to be running in strict confinement mode. I have tried installing microk8s with sudo snap install microk8s --channel=1.32-strict/stable and sudo snap install microk8s --channel=1.32-strict/stable --devmode. When I inspect system pods, I notice that calico-kube-controllers and coreds pods are in CrashLoopBackOff status. Running snappy-debug revealed, that AppArmor denies all operations.
This is the snappy-debug outtput with microk8s installed not in devmode:
= AppArmor =
Time: 2025-07-15T14:0
Log: apparmor="DENIED" operation="capable" class="cap" profile="snap.microk8s.daemon-cluster-agent" pid=235156 comm="sed" capability=4 capname="fsetid"
Capability: fsetid
Suggestions:
* adjust program to not require 'CAP_FSETID' (see 'man 7 capabilities')
* add one of 'account-control' to 'plugs'
* do nothing if program otherwise works properly
= AppArmor =
Time: 2025-07-15T14:0
Log: apparmor="DENIED" operation="capable" class="cap" profile="snap.microk8s.daemon-cluster-agent" pid=235189 comm="sed" capability=4 capname="fsetid"
Capability: fsetid
Suggestions:
* adjust program to not require 'CAP_FSETID' (see 'man 7 capabilities')
* add one of 'account-control' to 'plugs'
* do nothing if program otherwise works properly
= AppArmor =
Time: 2025-07-15T14:0
Log: apparmor="DENIED" operation="open" class="file" profile="snap.microk8s.daemon-cluster-agent" name="/usr/sbin/" pid=235204 comm="kubectl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /usr/sbin/ (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* add 'steam-support' to 'plugs'
= AppArmor =
Time: 2025-07-15T14:0
Log: apparmor="DENIED" operation="open" class="file" profile="snap.microk8s.daemon-cluster-agent" name="/usr/games/" pid=235204 comm="kubectl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /usr/games/ (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: 2025-07-15T14:0
Log: apparmor="DENIED" operation="create" class="net" profile="cri-containerd.apparmor.d" pid=236550 comm="kube-controller" family="inet" sock_type="stream" protocol=0 requested="create" denied="create"
Here is the snappy-debug output with microk8s installed with --devmode flag:
= AppArmor =
Time: 2025-07-15T14:0
Log: apparmor="ALLOWED" operation="capable" class="cap" profile="snap.microk8s.daemon-cluster-agent" pid=255252 comm="sed" capability=4 capname="fsetid"
Capability: fsetid
Suggestions:
* adjust program to not require 'CAP_FSETID' (see 'man 7 capabilities')
* add one of 'account-control' to 'plugs'
* do nothing if program otherwise works properly
= AppArmor =
Time: 2025-07-15T14:0
Log: apparmor="DENIED" operation="create" class="net" profile="cri-containerd.apparmor.d" pid=256672 comm="kube-controller" family="inet" sock_type="stream" protocol=0 requested="create" denied="create"
= AppArmor =
Time: 2025-07-15T14:0
Log: apparmor="DENIED" operation="create" class="net" profile="cri-containerd.apparmor.d" pid=256770 comm="coredns" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
As can be seen, the apparmor allows microk8s operations in devmode but containerd still blocks normal operation of microk8s. I guess I could try disabling apparmor for containerd but this seems to be not the best solution from the security standpoint.
What Should Happen Instead?
microk8s should be able to run in strict mode.
Reproduction Steps
- Install microk8s: sudo snap install microk8s --channel=1.32-strict/stable`
Introspection Report
inspection-report-20250715_141315.tar.gz
Are you interested in contributing with a fix?
Potentially yes, but I lack the necessary knowledge.