From 62581c039724cd8e5cb5c48a32e7d3303a2702c9 Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Wed, 22 Jan 2025 22:39:18 +0000 Subject: [PATCH 1/4] set appArmorProfile and remove annotations for cilium 1.16 --- .../v1.16/cilium-agent/templates/daemonset.yaml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset.yaml b/test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset.yaml index 952a0b7015..c5572523ce 100644 --- a/test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset.yaml +++ b/test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset.yaml @@ -17,10 +17,6 @@ spec: template: metadata: annotations: - container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined - container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined - container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined - container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined prometheus.io/port: "9962" prometheus.io/scrape: "true" creationTimestamp: null @@ -43,6 +39,9 @@ spec: operator: In values: - linux + securityContext: + appArmorProfile: + type: Unconfined containers: - args: - --config-dir=/tmp/cilium/config-map @@ -97,6 +96,8 @@ spec: timeoutSeconds: 5 resources: {} securityContext: + appArmorProfile: + type: Unconfined capabilities: add: - CHOWN @@ -192,6 +193,8 @@ spec: name: mount-cgroup resources: {} securityContext: + appArmorProfile: + type: Unconfined capabilities: add: - SYS_ADMIN @@ -224,6 +227,8 @@ spec: name: apply-sysctl-overwrites resources: {} securityContext: + appArmorProfile: + type: Unconfined capabilities: add: - SYS_ADMIN From f1fb957688ea792eeb388b7de6b11845798e26c8 Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Wed, 22 Jan 2025 22:41:27 +0000 Subject: [PATCH 2/4] set dualstack appArmorProfile --- .../cilium-agent/templates/daemonset-dualstack.yaml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset-dualstack.yaml b/test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset-dualstack.yaml index cfcf8fbbc3..f2a27310e9 100644 --- a/test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset-dualstack.yaml +++ b/test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset-dualstack.yaml @@ -17,10 +17,6 @@ spec: template: metadata: annotations: - container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined - container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined - container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined - container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined prometheus.io/port: "9962" prometheus.io/scrape: "true" creationTimestamp: null @@ -43,6 +39,9 @@ spec: operator: In values: - linux + securityContext: + appArmorProfile: + type: Unconfined containers: - args: - --config-dir=/tmp/cilium/config-map @@ -97,6 +96,8 @@ spec: timeoutSeconds: 5 resources: {} securityContext: + appArmorProfile: + type: Unconfined capabilities: add: - CHOWN @@ -192,6 +193,8 @@ spec: name: mount-cgroup resources: {} securityContext: + appArmorProfile: + type: Unconfined capabilities: add: - SYS_ADMIN @@ -224,6 +227,8 @@ spec: name: apply-sysctl-overwrites resources: {} securityContext: + appArmorProfile: + type: Unconfined capabilities: add: - SYS_ADMIN From e095a587fd10bc7f5c2d8cfe1215c54ef3c84347 Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Thu, 23 Jan 2025 00:28:37 +0000 Subject: [PATCH 3/4] set profile per container --- .../v1.16/cilium-agent/templates/daemonset-dualstack.yaml | 5 ++--- .../cilium/v1.16/cilium-agent/templates/daemonset.yaml | 5 ++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset-dualstack.yaml b/test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset-dualstack.yaml index f2a27310e9..19e4e10a60 100644 --- a/test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset-dualstack.yaml +++ b/test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset-dualstack.yaml @@ -39,9 +39,6 @@ spec: operator: In values: - linux - securityContext: - appArmorProfile: - type: Unconfined containers: - args: - --config-dir=/tmp/cilium/config-map @@ -287,6 +284,8 @@ spec: cpu: 100m memory: 100Mi securityContext: + appArmorProfile: + type: Unconfined capabilities: add: - NET_ADMIN diff --git a/test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset.yaml b/test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset.yaml index c5572523ce..f2fb0ba89a 100644 --- a/test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset.yaml +++ b/test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset.yaml @@ -39,9 +39,6 @@ spec: operator: In values: - linux - securityContext: - appArmorProfile: - type: Unconfined containers: - args: - --config-dir=/tmp/cilium/config-map @@ -287,6 +284,8 @@ spec: cpu: 100m memory: 100Mi securityContext: + appArmorProfile: + type: Unconfined capabilities: add: - NET_ADMIN From 167c30237839ccea373adda50daece5b90e2fea4 Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Tue, 28 Jan 2025 23:31:24 +0000 Subject: [PATCH 4/4] update nightly daemonset --- test/integration/manifests/cilium/daemonset.yaml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/test/integration/manifests/cilium/daemonset.yaml b/test/integration/manifests/cilium/daemonset.yaml index a710c23360..745ae830fb 100644 --- a/test/integration/manifests/cilium/daemonset.yaml +++ b/test/integration/manifests/cilium/daemonset.yaml @@ -16,10 +16,6 @@ spec: template: metadata: annotations: - container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined - container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined - container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined - container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined prometheus.io/port: "9962" prometheus.io/scrape: "true" creationTimestamp: null @@ -102,6 +98,8 @@ spec: timeoutSeconds: 5 resources: {} securityContext: + appArmorProfile: + type: Unconfined capabilities: add: - CHOWN @@ -197,6 +195,8 @@ spec: name: mount-cgroup resources: {} securityContext: + appArmorProfile: + type: Unconfined capabilities: add: - SYS_ADMIN @@ -229,6 +229,8 @@ spec: name: apply-sysctl-overwrites resources: {} securityContext: + appArmorProfile: + type: Unconfined capabilities: add: - SYS_ADMIN @@ -287,6 +289,8 @@ spec: cpu: 100m memory: 100Mi securityContext: + appArmorProfile: + type: Unconfined capabilities: add: - NET_ADMIN