Page MenuHomePhabricator
Create Task
Maniphest T367880

Set AppArmor profile via SecurityContext rather than annotations (k8s >=1.30)
Closed, ResolvedPublic
Actions

Description

With Kubernetes 1.30+, AppArmor profiles can now be configured through fields on the PodSecurityContext and container SecurityContext. The beta AppArmor annotations are deprecated, and AppArmor status is no longer included in the node ready condition. (https://github.com/kubernetes/kubernetes/pull/123435)

See also: T273507: PodSecurityPolicies will be deprecated with Kubernetes 1.21

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
function-{evaluator,orchestrator}: set AppArmor profile in container SecurityContextoperations/deployment-chartsmaster+10 -4
Revert "function-{evaluator,orchestrator}: set AppArmor profile in pod SecurityContext"operations/deployment-chartsmaster+4 -13
function-{evaluator,orchestrator}: set AppArmor profile in pod SecurityContextoperations/deployment-chartsmaster+13 -4
Customize query in gerrit

Related Objects
Search...

Event Timeline

JMeybohm created this task.Jun 18 2024, 2:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 18 2024, 2:01 PM
JMeybohm triaged this task as Low priority.Jun 18 2024, 2:01 PM
JMeybohm merged a task: T384429: Migrate deprecated apparmor.security.beta.kubernetes.io annotations to SecurityContext.Mar 5 2025, 6:10 PM
JMeybohm added a subscriber: akosiaris.
RLazarus edited projects, added ServiceOps new; removed serviceops-deprecated.Feb 12 2026, 2:03 AM
RLazarus moved this task from Inbox to Backlog on the ServiceOps new board.
RLazarus merged a task: T419784: Change Wikifunctions k8s pods apparmor annotation to a config field, former is deprecated since k8s 1.30.Mar 12 2026, 2:33 AM
RLazarus added a subscriber: Jdforrester-WMF.
gerritbot added a comment.Mar 17 2026, 9:27 PM

Change #1254338 had a related patch set uploaded (by RLazarus; author: RLazarus):

[operations/deployment-charts@master] function-{evaluator,orchestrator}: set AppArmor profile in pod SecurityContext

https://gerrit.wikimedia.org/r/1254338

gerritbot added a project: Patch-For-Review.Mar 17 2026, 9:27 PM
JMeybohm assigned this task to RLazarus.Mar 18 2026, 7:51 AM
JMeybohm added a subscriber: RLazarus.

@RLazarus: Given wikifunctions is the only chart with apparmor annotations I'll hand this over to you to close when the change has been merged.

gerritbot added a comment.Wed, Apr 8, 9:12 PM

Change #1254338 merged by jenkins-bot:

[operations/deployment-charts@master] function-{evaluator,orchestrator}: set AppArmor profile in pod SecurityContext

https://gerrit.wikimedia.org/r/1254338

RLazarus added a comment.Wed, Apr 8, 9:35 PM

Weirdly, Envoy failed to start after the change, with this in the logs:

[2026-04-08 21:23:16.649][1][critical][assert] [source/server/hot_restart_impl.cc:44] panic: cannot open shared memory region /envoy_shared_memory_0 check user permissions. Error: Permission denied

That wouldn't be that surprising if we were setting up a new AppArmor profile, but nothing is supposed to be changing with the actual policy.

gerritbot added a comment.Wed, Apr 8, 9:36 PM

Change #1269064 had a related patch set uploaded (by RLazarus; author: RLazarus):

[operations/deployment-charts@master] Revert "function-{evaluator,orchestrator}: set AppArmor profile in pod SecurityContext"

https://gerrit.wikimedia.org/r/1269064

gerritbot added a comment.Wed, Apr 8, 9:41 PM

Change #1269064 merged by jenkins-bot:

[operations/deployment-charts@master] Revert "function-{evaluator,orchestrator}: set AppArmor profile in pod SecurityContext"

https://gerrit.wikimedia.org/r/1269064

gerritbot added a comment.Wed, Apr 8, 10:10 PM

Change #1269069 had a related patch set uploaded (by RLazarus; author: RLazarus):

[operations/deployment-charts@master] function-{evaluator,orchestrator}: set AppArmor profile in container SecurityContext

https://gerrit.wikimedia.org/r/1269069

gerritbot added a comment.Fri, Apr 10, 12:53 AM

Change #1269069 merged by jenkins-bot:

[operations/deployment-charts@master] function-{evaluator,orchestrator}: set AppArmor profile in container SecurityContext

https://gerrit.wikimedia.org/r/1269069

RLazarus closed this task as Resolved.Fri, Apr 10, 1:28 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits