From e264540a0e6616718a419c1c4fc21ae4bed898d7 Mon Sep 17 00:00:00 2001 From: Benjamin Schimke Date: Tue, 9 Sep 2025 15:20:30 +0200 Subject: [PATCH] fix(apparmor): allow sockets in cri-containerd profile (#5218) Add explicit AppArmor rules to permit common socket types (inet, inet6, unix) needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships AppArmor 4.1.0, which is stricter and requires exact socket types to be set. This resolves "apparmor=DENIED operation=create class=net" denials. Fixes #5082 Fixes #5190 Fixes #5140 --- .github/workflows/build-snap.yml | 2 +- microk8s-resources/containerd-profile | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-snap.yml b/.github/workflows/build-snap.yml index 1e50e9f42c..e7bb812c59 100644 --- a/.github/workflows/build-snap.yml +++ b/.github/workflows/build-snap.yml @@ -58,7 +58,7 @@ jobs: name: Test core addons runs-on: ubuntu-latest needs: build - timeout-minutes: 30 + timeout-minutes: 60 env: # Avoid truncated "ps" output COLUMNS: 2048 diff --git a/microk8s-resources/containerd-profile b/microk8s-resources/containerd-profile index 50a4c7f012..bd638bd75d 100644 --- a/microk8s-resources/containerd-profile +++ b/microk8s-resources/containerd-profile @@ -6,7 +6,11 @@ profile cri-containerd.apparmor.d flags=(attach_disconnected,mediate_deleted) { #include - network, + network inet, + network inet6, + network unix, + network netlink, + capability, file, umount, @@ -37,4 +41,4 @@ profile cri-containerd.apparmor.d flags=(attach_disconnected,mediate_deleted) { signal (receive) peer=snap.microk8s.daemon-kubelite, signal (receive) peer=snap.microk8s.daemon-containerd, -} \ No newline at end of file +}