Keith Mattix II
Keith Mattix II
From my quick reading (so definitely not authoritative), reading from procfs is what's causing app Armor to log there in journalctl
Yeah according to that config, it should only block write. The journalctl logs point to a blocked read which is strange to me
Shipping our own profile would but rough too because Kubernetes enforces that the profile exists before applying the pod. So we'd have to work around the race there
Yeah folks said unconstained doesn't work. I wonder if the issue is this ptrace role in the appArmor config: https://github.com/containerd/containerd/blob/2bf793ef6dc9a18e00cb12efb64355c2c9d5eb41/contrib/apparmor/template.go#L94. I have zero context here, but maybe allowing ptracing containers...
I think multiple things are failing looking back at the original screenshot. The istio-cni error is "failed to remount /: permission denied" which points to that mount deny flag in...
Ah, what if you remove the appArmor profile with privileged: true?
@krinkinmu @grnmeira. Related to #58338
I think we want to discuss this a bit. Can you post in Slack or add a topic to the weekly WG meeting?
I think you should probably be able to set a DestinationRule for the hostname and it should just work
Yeah I think those are all flakes