fix(apparmor): allow sockets in cri-containerd profile (#5218) by bschimke95 · Pull Request #5235 · canonical/microk8s

bschimke95 · 2025-09-16T14:19:59Z

Add explicit AppArmor rules to permit common socket types (inet, inet6, unix) needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships AppArmor 4.1.0, which is stricter and requires exact socket types to be set. This resolves "apparmor=DENIED operation=create class=net" denials.

Fixes #5082
Fixes #5190
Fixes #5140

Add explicit AppArmor rules to permit common socket types (inet, inet6, unix) needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships AppArmor 4.1.0, which is stricter and requires exact socket types to be set. This resolves "apparmor=DENIED operation=create class=net" denials. Fixes #5082 Fixes #5190 Fixes #5140

bschimke95 requested review from berkayoz and ktsakalozos September 16, 2025 14:19

bschimke95 mentioned this pull request Sep 16, 2025

fix(apparmor): allow sockets in cri-containerd profile #5218

Merged

3 tasks

berkayoz approved these changes Sep 16, 2025

View reviewed changes

bschimke95 merged commit 34f73f8 into 1.33 Sep 16, 2025
22 checks passed

bschimke95 deleted the KU-4123/strict-on-plucky-fix-backport-1.33 branch September 16, 2025 15:08

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(apparmor): allow sockets in cri-containerd profile (#5218)#5235

fix(apparmor): allow sockets in cri-containerd profile (#5218)#5235
bschimke95 merged 1 commit into1.33from
KU-4123/strict-on-plucky-fix-backport-1.33

bschimke95 commented Sep 16, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

bschimke95 commented Sep 16, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants