fix(apparmor): allow sockets in cri-containerd profile (Backport #5218) by bschimke95 · Pull Request #5232 · canonical/microk8s

bschimke95 · 2025-09-16T14:15:15Z

Add explicit AppArmor rules to permit common socket types (inet, inet6, unix) needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships AppArmor 4.1.0, which is stricter and requires exact socket types to be set. This resolves "apparmor=DENIED operation=create class=net" denials.

Fixes #5082
Fixes #5190
Fixes #5140

Add explicit AppArmor rules to permit common socket types (inet, inet6, unix) needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships AppArmor 4.1.0, which is stricter and requires exact socket types to be set. This resolves "apparmor=DENIED operation=create class=net" denials. Fixes #5082 Fixes #5190 Fixes #5140

bschimke95 requested review from berkayoz and ktsakalozos September 16, 2025 14:15

bschimke95 mentioned this pull request Sep 16, 2025

fix(apparmor): allow sockets in cri-containerd profile #5218

Merged

3 tasks

berkayoz approved these changes Sep 16, 2025

View reviewed changes

bschimke95 merged commit e7237f1 into 1.32-strict Sep 16, 2025
22 checks passed

bschimke95 deleted the KU-4123/strict-on-plucky-fix-backport-1.32-strict branch September 16, 2025 15:08

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(apparmor): allow sockets in cri-containerd profile (Backport #5218)#5232

fix(apparmor): allow sockets in cri-containerd profile (Backport #5218)#5232
bschimke95 merged 1 commit into1.32-strictfrom
KU-4123/strict-on-plucky-fix-backport-1.32-strict

bschimke95 commented Sep 16, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

bschimke95 commented Sep 16, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants