Assigning `RuntimeDefault` AppArmor profile to pods/containers when strict security is enabled breaks on hosts w/o AppArmor

VictoriaMetrics / operator

Kubernetes operator for Victoria Metrics

Apache License 2.0

436 stars 146 forks source link

Assigning `RuntimeDefault` AppArmor profile to pods/containers when strict security is enabled breaks on hosts w/o AppArmor #1120

Closed jfroy closed 1 month ago

jfroy commented 1 month ago

The operator assigns the special RuntimeDefault AppArmor profile on pods and containers when strict security is enabled. On any hosts where AppArmor is not enabled, the pod will be rejected by kubelet's AppArmor admission handler, with the error "Cannot enforce AppArmor: AppArmor is not enabled on the host". This needs to be made configurable, as not all clusters will have AppArmor enabled on all hosts.

f41gh7 commented 1 month ago

Maybe, it's better to remove default AppArmor value. Main motivation for it adding it was default security rules for cloud providers. As far as I understand, azure provides preset of configured validation rules ( runAsRoot false and others). But reality is AppArmor and Selinux are not widely supported ( windows hosts don't have such option).

suhasagasthya commented 1 month ago

Same issue faced! AppArmor is blocking pods on hosts that dont have appArmor enabled, we dont use appArmor in our environments. +1 to remove the appArmor value from the default security context or pass it as an env to enable if needed only.

f41gh7 commented 1 month ago

Issue must be fixed at v0.48.4 release