John Howard

This will be shipped this week

For logging perspective, making 'delete' info level and maybe logging the source of operations (from informer or from CNI plugin) would be useful.

> The informer cache should never have pods that don't exist in it, that's odd. I doubt its the informer cache itself but our snapshot of the netns which is...

Can you give some more info about your environment? Which cloud provider (or not cloud), OS version of the node, etc? It seems there is maybe some incompatibility with your...

What I'm not certain of is exactly what is failing and why. Some failures may trigger other failures. I know the mount operation is blocked by the appArmor I think,...

> From my quick reading (so definitely not authoritative), reading from procfs is what's causing app Armor to log there in journalctl https://github.com/containerd/containerd/blob/2bf793ef6dc9a18e00cb12efb64355c2c9d5eb41/contrib/apparmor/template.go#L71 Shouldn't this only block write to procfs?...

On slack someone said privileged=true fixed it On Mon, Nov 11, 2024, 10:29 AM Ben Leggett ***@***.***> wrote: > Edited Daemonset by adding the Unconfined profile for AppArmor: > >...

Do we know why setting to unconstrained doesn't work? Since I thought someone tried and found that

Maybe a dumb question, but do we actually know what is blocked? Or just "read" of something? I never saw anything indicating *what* On Mon, Nov 11, 2024, 2:10 PM...

> Ah, what if you remove the appArmor profile with privileged: true? in slack someone already confirmed this fixes it If we cannot disable appArmor only, we should default to...