Skip to content

fix(apparmor): allow sockets in cri-containerd profile#5218

Merged
bschimke95 merged 4 commits intomasterfrom
KU-4123/strict-on-plucky-fix
Sep 9, 2025
Merged

fix(apparmor): allow sockets in cri-containerd profile#5218
bschimke95 merged 4 commits intomasterfrom
KU-4123/strict-on-plucky-fix

Conversation

@bschimke95
Copy link
Contributor

@bschimke95 bschimke95 commented Sep 8, 2025

Summary

Add explicit AppArmor rules to permit common socket types (inet, inet6, unix) needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships AppArmor 4.1.0, which is stricter and requires exact socket types to be set. This resolves "apparmor=DENIED operation=create class=net" denials which we've seen in the following issues:

Fixes #5082
Fixes #5190
Fixes #5140

Testing

Tested in multipass on noble and plucky.

ubuntu@plucky:~$ sudo microk8s.kubectl get pods -A
NAMESPACE     NAME                                       READY   STATUS    RESTARTS        AGE
default       test-nginx                                 1/1     Running   0               67s
kube-system   calico-kube-controllers-6d7fffdff7-vdb6g   1/1     Running   1 (5m19s ago)   13m
kube-system   calico-node-8vbgv                          1/1     Running   1 (5m19s ago)   13m
kube-system   coredns-66ffc85ffb-977ns                   1/1     Running   1 (5m19s ago)   13m
kube-system   hostpath-provisioner-7d98b6886b-4dkt7      1/1     Running   0               4m9s

Checklist

  • Read the contributions page.
  • Submitted the CLA form, if you are a first time contributor.
  • The introduced changes are covered by unit and/or integration tests.
    We don't test microk8s yet on plucky, which we should eventually introduce in a separate PR.

@bschimke95
fix(apparmor): allow inet/inet6/unix sockets in cri-containerd profile
23d977d 
Add explicit AppArmor rules to permit common socket types (inet, inet6, unix)
needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships
AppArmor 4.1.0, which is stricter and requires exact socket types to be set.
This resolves "apparmor=DENIED operation=create class=net" denials.

Fixes #5082
Fixes #5190
Fixes #5140
ktsakalozos
ktsakalozos approved these changes Sep 8, 2025
View reviewed changes
Copy link
Member

@ktsakalozos ktsakalozos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM +1

berkayoz
berkayoz approved these changes Sep 8, 2025
View reviewed changes
Copy link
Member

@berkayoz berkayoz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work!

@bschimke95 bschimke95 changed the title fix(apparmor): allow inet/inet6/unix sockets in cri-containerd profile fix(apparmor): allow sockets in cri-containerd profile Sep 9, 2025
@bschimke95 bschimke95 merged commit 3398719 into master Sep 9, 2025
23 checks passed
@bschimke95 bschimke95 deleted the KU-4123/strict-on-plucky-fix branch September 9, 2025 13:20
@cdkbot
Copy link

cdkbot commented Sep 9, 2025

Git push to origin failed for 1.32 with exitcode 1

@cdkbot
Copy link

cdkbot commented Sep 9, 2025

Git push to origin failed for 1.32-strict with exitcode 1

@canonical canonical deleted a comment from cdkbot Sep 16, 2025
@canonical canonical deleted a comment from cdkbot Sep 16, 2025
bschimke95 added a commit that referenced this pull request Sep 16, 2025
@bschimke95
fix(apparmor): allow sockets in cri-containerd profile (#5218)
741090f 
Add explicit AppArmor rules to permit common socket types (inet, inet6, unix)
needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships
AppArmor 4.1.0, which is stricter and requires exact socket types to be set.
This resolves "apparmor=DENIED operation=create class=net" denials.

Fixes #5082
Fixes #5190
Fixes #5140
bschimke95 added a commit that referenced this pull request Sep 16, 2025
@bschimke95
fix(apparmor): allow sockets in cri-containerd profile (#5218)
e264540 
Add explicit AppArmor rules to permit common socket types (inet, inet6, unix)
needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships
AppArmor 4.1.0, which is stricter and requires exact socket types to be set.
This resolves "apparmor=DENIED operation=create class=net" denials.

Fixes #5082
Fixes #5190
Fixes #5140
bschimke95 added a commit that referenced this pull request Sep 16, 2025
@bschimke95
fix(apparmor): allow sockets in cri-containerd profile (#5218)
ff55652 
Add explicit AppArmor rules to permit common socket types (inet, inet6, unix)
needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships
AppArmor 4.1.0, which is stricter and requires exact socket types to be set.
This resolves "apparmor=DENIED operation=create class=net" denials.

Fixes #5082
Fixes #5190
Fixes #5140
bschimke95 added a commit that referenced this pull request Sep 16, 2025
@bschimke95
fix(apparmor): allow sockets in cri-containerd profile (#5218)
15ef8cf 
Add explicit AppArmor rules to permit common socket types (inet, inet6, unix)
needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships
AppArmor 4.1.0, which is stricter and requires exact socket types to be set.
This resolves "apparmor=DENIED operation=create class=net" denials.

Fixes #5082
Fixes #5190
Fixes #5140
@bschimke95
Copy link
Contributor Author

bschimke95 commented Sep 16, 2025

Manual backports:
#5233
#5232
#5235
#5234

bschimke95 added a commit that referenced this pull request Sep 16, 2025
@bschimke95
fix(apparmor): allow sockets in cri-containerd profile (#5218) (#5234)
6ebc4f2 
Add explicit AppArmor rules to permit common socket types (inet, inet6, unix)
needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships
AppArmor 4.1.0, which is stricter and requires exact socket types to be set.
This resolves "apparmor=DENIED operation=create class=net" denials.

Fixes #5082
Fixes #5190
Fixes #5140
bschimke95 added a commit that referenced this pull request Sep 16, 2025
@bschimke95
fix(apparmor): allow sockets in cri-containerd profile (#5218) (#5235)
34f73f8 
Add explicit AppArmor rules to permit common socket types (inet, inet6, unix)
needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships
AppArmor 4.1.0, which is stricter and requires exact socket types to be set.
This resolves "apparmor=DENIED operation=create class=net" denials.

Fixes #5082
Fixes #5190
Fixes #5140
bschimke95 added a commit that referenced this pull request Sep 16, 2025
@bschimke95
fix(apparmor): allow sockets in cri-containerd profile (#5218) (#5232)
e7237f1 
Add explicit AppArmor rules to permit common socket types (inet, inet6, unix)
needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships
AppArmor 4.1.0, which is stricter and requires exact socket types to be set.
This resolves "apparmor=DENIED operation=create class=net" denials.

Fixes #5082
Fixes #5190
Fixes #5140
bschimke95 added a commit that referenced this pull request Sep 16, 2025
@bschimke95
fix(apparmor): allow sockets in cri-containerd profile (#5218) (#5233)
99180e0 
Add explicit AppArmor rules to permit common socket types (inet, inet6, unix)
needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships
AppArmor 4.1.0, which is stricter and requires exact socket types to be set.
This resolves "apparmor=DENIED operation=create class=net" denials.

Fixes #5082
Fixes #5190
Fixes #5140
@kian99 kian99 mentioned this pull request Sep 23, 2025
Merged
jujubot added a commit to juju/juju that referenced this pull request Sep 23, 2025
@jujubot
Merge pull request #20697 from kian99/fix-microk8s-test
e6212a8 
#20697

This PR updates the version of the Microk8s snap that is installed in our CI tests. Ubuntu 24.04 and higher have introduced a change in apparmor rules that broke the strict microk8s snap. See [here](canonical/microk8s#5190).

The fix is [here](canonical/microk8s#5218). It seems the fix was backported to Microk8s 1.32 and 1.33 based on the labels in that PR but testing 1.32 still fails so I've bumped up to 1.34 and I haven't tested 1.33. This change should fix failing Microk8s smoke tests.
HomayoonAlimohammadi pushed a commit that referenced this pull request Dec 18, 2025
@bschimke95 @HomayoonAlimohammadi
fix(apparmor): allow sockets in cri-containerd profile (#5218)
ccb71ac 
Add explicit AppArmor rules to permit common socket types (inet, inet6, unix)
needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships
AppArmor 4.1.0, which is stricter and requires exact socket types to be set.
This resolves "apparmor=DENIED operation=create class=net" denials.

Fixes #5082
Fixes #5190
Fixes #5140
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ktsakalozos ktsakalozos ktsakalozos approved these changes

@berkayoz berkayoz berkayoz approved these changes

@HomayoonAlimohammadi HomayoonAlimohammadi Awaiting requested review from HomayoonAlimohammadi

Assignees

No one assigned

Labels

backport 1.32-strict backport 1.32 backport-1.33-strict backport-1.33

Projects

None yet

Milestone

No milestone

4 participants

@bschimke95 @cdkbot @ktsakalozos @berkayoz