Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Release-1.29] - Don't drop legacy apparmor annotations from cilium daemonset when upgrading to 1.30 #7520

Closed
brandond opened this issue Jan 9, 2025 · 1 comment
Closed

[Release-1.29] - Don't drop legacy apparmor annotations from cilium daemonset when upgrading to 1.30 #7520

brandond opened this issue Jan 9, 2025 · 1 comment
Assignees
@brandond @VestigeJ
Milestone
v1.29.13+rke2r1

Comments

@brandond
Copy link
Member

brandond commented Jan 9, 2025

Backport fix for Don't drop legacy apparmor annotations from cilium daemonset when upgrading to 1.30
@brandond brandond self-assigned this Jan 9, 2025
@mgfritch mgfritch mentioned this issue Jan 10, 2025
Merged
@brandond brandond added this to the v1.29.13+rke2r1 milestone Jan 15, 2025
@VestigeJ VestigeJ self-assigned this Jan 23, 2025
@VestigeJ
Copy link
Contributor

$ kgp cilium-f8vnv -n kube-system -o yaml | grep -i image

    image: rancher/mirrored-cilium-cilium:v1.16.4
    imagePullPolicy: IfNotPresent
    image: rancher/hardened-cni-plugins:v1.6.0-build20241022
    imagePullPolicy: IfNotPresent
    image: rancher/mirrored-cilium-cilium:v1.16.4
    imagePullPolicy: IfNotPresent
    image: rancher/mirrored-cilium-cilium:v1.16.4
    imagePullPolicy: IfNotPresent
    image: rancher/mirrored-cilium-cilium:v1.16.4
    imagePullPolicy: IfNotPresent
    image: rancher/mirrored-cilium-cilium:v1.16.4
    imagePullPolicy: IfNotPresent
    image: rancher/mirrored-cilium-cilium:v1.16.4
    imagePullPolicy: IfNotPresent
    image: rancher/mirrored-cilium-cilium:v1.16.4
    imagePullPolicy: IfNotPresent
    image: docker.io/rancher/mirrored-cilium-cilium:v1.16.4
    imageID: docker.io/rancher/mirrored-cilium-cilium@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
    image: docker.io/rancher/hardened-cni-plugins:v1.6.0-build20241022
    imageID: docker.io/rancher/hardened-cni-plugins@sha256:900cfe5a70ca5749220c7a1363bf3e563ea48764b83b2fc9d078b9a0f8226ab0
    image: docker.io/rancher/mirrored-cilium-cilium:v1.16.4
    imageID: docker.io/rancher/mirrored-cilium-cilium@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
    image: docker.io/rancher/mirrored-cilium-cilium:v1.16.4
    imageID: docker.io/rancher/mirrored-cilium-cilium@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
    image: docker.io/rancher/mirrored-cilium-cilium:v1.16.4
    imageID: docker.io/rancher/mirrored-cilium-cilium@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
    image: docker.io/rancher/mirrored-cilium-cilium:v1.16.4
    imageID: docker.io/rancher/mirrored-cilium-cilium@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
    image: docker.io/rancher/mirrored-cilium-cilium:v1.16.4
    imageID: docker.io/rancher/mirrored-cilium-cilium@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
    image: docker.io/rancher/mirrored-cilium-cilium:v1.16.4
    imageID: docker.io/rancher/mirrored-cilium-cilium@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf

$ echo $VERSION

v1.29.12+rke2r1

$ kg ds cilium -n kube-system -o yaml | grep -i apparmor -A2

        container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
        container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
        container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
        container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined

$ kgp cilium-f8vnv -n kube-system -o yaml | grep -i appArmor -A1

    container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
    container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
    container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
    container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined

$ kg ds cilium -n kube-system -o yaml | grep -i apparmor -A2

        container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
        container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
        container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
        container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined
        prometheus.io/port: "9962"
        prometheus.io/scrape: "true"

$ echo $VERSION

v1.29.13-rc2+rke2r1

$ kgp cilium-8btjt -n kube-system -o yaml | grep -i image

    image: rancher/mirrored-cilium-cilium:v1.16.5
    imagePullPolicy: IfNotPresent
    image: rancher/hardened-cni-plugins:v1.6.0-build20241022
    imagePullPolicy: IfNotPresent
    image: rancher/mirrored-cilium-cilium:v1.16.5
    imagePullPolicy: IfNotPresent
    image: rancher/mirrored-cilium-cilium:v1.16.5
    imagePullPolicy: IfNotPresent
    image: rancher/mirrored-cilium-cilium:v1.16.5
    imagePullPolicy: IfNotPresent
    image: rancher/mirrored-cilium-cilium:v1.16.5
    imagePullPolicy: IfNotPresent
    image: rancher/mirrored-cilium-cilium:v1.16.5
    imagePullPolicy: IfNotPresent
    image: rancher/mirrored-cilium-cilium:v1.16.5
    imagePullPolicy: IfNotPresent
    image: docker.io/rancher/mirrored-cilium-cilium:v1.16.5
    imageID: docker.io/rancher/mirrored-cilium-cilium@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
    image: docker.io/rancher/hardened-cni-plugins:v1.6.0-build20241022
    imageID: docker.io/rancher/hardened-cni-plugins@sha256:900cfe5a70ca5749220c7a1363bf3e563ea48764b83b2fc9d078b9a0f8226ab0
    image: docker.io/rancher/mirrored-cilium-cilium:v1.16.5
    imageID: docker.io/rancher/mirrored-cilium-cilium@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
    image: docker.io/rancher/mirrored-cilium-cilium:v1.16.5
    imageID: docker.io/rancher/mirrored-cilium-cilium@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
    image: docker.io/rancher/mirrored-cilium-cilium:v1.16.5
    imageID: docker.io/rancher/mirrored-cilium-cilium@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
    image: docker.io/rancher/mirrored-cilium-cilium:v1.16.5
    imageID: docker.io/rancher/mirrored-cilium-cilium@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
    image: docker.io/rancher/mirrored-cilium-cilium:v1.16.5
    imageID: docker.io/rancher/mirrored-cilium-cilium@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
    image: docker.io/rancher/mirrored-cilium-cilium:v1.16.5
    imageID: docker.io/rancher/mirrored-cilium-cilium@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d

$ kgp cilium-8btjt -n kube-system -o yaml | grep -i apparmor

    container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
    container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
    container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
    container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@VestigeJ VestigeJ

Labels
None yet
Projects
None yet
Milestone
v1.29.13+rke2r1
Development

No branches or pull requests
2 participants
@brandond @VestigeJ