Skip to content

Remove the AppArmor enforcement to remount /proc/sys #930

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wenjianhn wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Remove the AppArmor enforcement to remount /proc/sys #930

wenjianhn wants to merge 2 commits into from

Conversation

@wenjianhn
Copy link

@wenjianhn wenjianhn commented Oct 29, 2025

In Ubuntu, AppArmor is installed and loaded by default. policy/policyinit.sh need to remount /proc/sys. It is forbidden per the below error message:

mount: /proc/sys: cannot remount rw read-write, is write-protected.
dmesg(1) may have more information after failed mount system call.

Thit pach also removes the seccomp profile.

Fixes: 9d24420 ("daemon: privilege")

@wenjianhn
Remove the AppArmor enforcement to remount /proc/sys
87e2dd0 
In Ubuntu, AppArmor is installed and loaded by default.
policy/policyinit.sh need to remount /proc/sys. It is forbidden per
the below error message:

mount: /proc/sys: cannot remount rw read-write, is write-protected.
       dmesg(1) may have more information after failed mount system call.

Thit pach also removes the seccomp profile.

Fixes: 9d24420 ("daemon: privilege")
@l1b0k
Copy link
Collaborator

l1b0k commented Nov 4, 2025

It might be more appropriate to directly expose the annotations and securityContext. Could you please consider adjusting the configuration accordingly?

@wenjianhn
Copy link
Author

wenjianhn commented Nov 4, 2025

@l1b0k unfortunately, the version of the k8s that we are using doesn't support specifify AppArmor through securityContext.

$ kubectl apply -f test-appArmorProfile-netperf-l1-0.yaml                                                                                                                                        
error: error validating "test-appArmorProfile-netperf-l1-0.yaml": error validating data: ValidationError(Pod.spec.containers[0].securityContext): unknown field "appArmorProfile" in io.k8s.api.core.v1.SecurityContext; if you choose 
to ignore these errors, turn validation off with --validate=false

How about using helm template --kube-version 1.30 like awslabs/mountpoint-s3-csi-driver#262

@wenjianhn
Use .Capabilities.KubeVersion.Version instead of .Values.appArmorProfile
94b2c10 
Tested with

$ helm template --kube-version 1.29 --debug charts/terway  |grep -i apparmor
        # As of Kubernetes v1.30, this should be set with the appArmorProfile field instead.
        container.apparmor.security.beta.kubernetes.io/policy: unconfined

$ helm template --kube-version 1.30 --debug charts/terway  |grep -i apparmor -A1
            appArmorProfile:
              type: Unconfined
@l1b0k
Copy link
Collaborator

l1b0k commented Nov 4, 2025

To improve flexibility and compatibility across Kubernetes versions, it’s a good practice to directly expose annotations and securityContext in the values.yaml file.

# values.yaml

daemon:
  annotations: {}

  # Custom securityContext for the container.
  # Define only the fields that are safe and supported by your target K8s version.
  terway:
    securityContext:
        capabilities:
          add:
            - NET_ADMIN
            - DAC_OVERRIDE
          drop:
            - ALL

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wenjianhn @l1b0k