Podman AppArmor profile for kubernetes #20382
Unanswered
franrebo84
asked this question in
Q&A
Replies: 1 comment
-
|
We mainly work with SELinux in the core team, so not likely to get help from us. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
After following this great article https://www.redhat.com/sysadmin/podman-inside-kubernetes. I'm facing the following issue for the non-privileged scenario:
Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: permission deniedThis is because appArmor is denying the mount syscall for fuse-overlay in the Kubernetes node OS.
I was able to fix itsetting the AppArmor profile to
unconfinedwith a Kubernetes annotation:container.apparmor.security.beta.kubernetes.io/no-priv: unconfinedBut this is more a workaround than a proper solution to the issue.
I couldn't find any documentation for this and most of the similar issues said to just use the annotation.
Does anyone was able to create a working AppArmor profile for this?
Beta Was this translation helpful? Give feedback.
All reactions