kubernetes
AppArmor support
Description
Add AppArmor support to Kubernetes. Initial support should include the ability to specify an AppArmor profile for a container or pod in the API, and have that profile applied by the container runtime.
Progress Tracker
- [x] Before Alpha
- [x] Design Approval
- [x] Design Proposal. This goes under docs/proposals. Doing a proposal as a PR allows line-by-line commenting from community, and creates the basis for later design documentation. Paste link to merged design proposal here: https://github.com/kubernetes/kubernetes/pull/29168
- [x] Initial API review (if API). Maybe same PR as design doc. https://github.com/kubernetes/kubernetes/pull/29168
- Any code that changes an API (
/pkg/apis/...) - cc @kubernetes/api
- Any code that changes an API (
- [x] Write (code + tests + docs) then get them merged. https://github.com/kubernetes/kubernetes/pull/29812 https://github.com/kubernetes/kubernetes/pull/30118 https://github.com/kubernetes/kubernetes/pull/30722 https://github.com/kubernetes/kubernetes/pull/30183 https://github.com/kubernetes/kubernetes/pull/31314 https://github.com/kubernetes/kubernetes/pull/31473 https://github.com/kubernetes/kubernetes/pull/31471 https://github.com/kubernetes/kubernetes/pull/31557 https://github.com/kubernetes/kubernetes/pull/31625 https://github.com/kubernetes/kubernetes/pull/31659
- [x] ~~Code needs to be disabled by default. Verified by code OWNERS~~ AppArmor is enabled by default, but gated by a feature-gate: https://github.com/kubernetes/kubernetes/pull/31473
- [x] Minimal testing
- [x] Minimal docs - https://github.com/kubernetes/kubernetes.github.io/pull/1147
- cc @kubernetes/docs on docs PR
- cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
- New apis: Glossary Section Item in the docs repo: kubernetes/kubernetes.github.io
- [ ] Update release notes
- [x] Design Approval
- [x] Before Beta https://github.com/kubernetes/kubernetes/pull/31471
- [x] Testing is sufficient for beta
- [x] User docs with tutorials - https://github.com/kubernetes/kubernetes.github.io/pull/1147
- Updated walkthrough / tutorial in the docs repo: kubernetes/kubernetes.github.io
- cc @kubernetes/docs on docs PR
- cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
- [ ] Thorough API review
- cc @kubernetes/api
- [ ] Before Stable
- [x] KEPS
- https://github.com/kubernetes/enhancements/pull/3298
- https://github.com/kubernetes/enhancements/pull/4417
- [ ] PRs
- https://github.com/kubernetes/kubernetes/pull/123435
- [ ] Soak, load testing
- [ ] detailed user docs and examples
- cc @kubernetes/docs
- cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
- [x] KEPS
FEATURE_STATUS is used for feature tracking and to be updated by @kubernetes/feature-reviewers. FEATURE_STATUS: BETA
More advice:
Design
- Once you get LGTM from a @kubernetes/feature-reviewers member, you can check this checkbox, and the reviewer will apply the "design-complete" label.
Coding
- Use as many PRs as you need. Write tests in the same or different PRs, as is convenient for you.
- As each PR is merged, add a comment to this issue referencing the PRs. Code goes in the http://github.com/kubernetes/kubernetes repository, and sometimes http://github.com/kubernetes/contrib, or other repos.
- When you are done with the code, apply the "code-complete" label.
- When the feature has user docs, please add a comment mentioning @kubernetes/feature-reviewers and they will check that the code matches the proposed feature and design, and that everything is done, and that there is adequate testing. They won't do detailed code review: that already happened when your PRs were reviewed. When that is done, you can check this box and the reviewer will apply the "code-complete" label.
Docs
- [x] Write user docs and get them merged in.
- User docs go into http://github.com/kubernetes/kubernetes.github.io.
- When the feature has user docs, please add a comment mentioning @kubernetes/docs.
- When you get LGTM, you can check this checkbox, and the reviewer will apply the "docs-complete" label.
Original issue here: https://github.com/kubernetes/kubernetes/issues/22159
@timstclair it looks like the docs PR number is outdated. Please update the PR number and check the docs box once it's done
Docs https://github.com/kubernetes/kubernetes.github.io/pull/1147 - @kubernetes/docs
Is there an issue? I merged this one in last week.
On Sep 21, 2016 1:30 PM, "Tim St. Clair" [email protected] wrote:
Docs kubernetes/kubernetes.github.io#1147 https://github.com/kubernetes/kubernetes.github.io/pull/1147 - @kubernetes/docs https://github.com/orgs/kubernetes/teams/docs
— You are receiving this because you are on a team that was mentioned. Reply to this email directly, view it on GitHub https://github.com/kubernetes/features/issues/24#issuecomment-248733477, or mute the thread https://github.com/notifications/unsubscribe-auth/ARmNwOTArylXQHoAoz2lMTsKhg9luaTYks5qsZPlgaJpZM4JMBOR .
No, I was just following the instructions at the bottom of the issue, which I hadn't done before...
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Prevent issues from auto-closing with an /lifecycle frozen comment.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten /remove-lifecycle stale
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /close
@tallclair @liggitt Any plans for this in 1.11?
If so, can you please ensure the feature is up-to-date with the appropriate:
- Description
- Milestone
- Assignee(s)
- Labels:
stage/{alpha,beta,stable}sig/*kind/feature
cc @idvoretskyi
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten
@tallclair @kubernetes/sig-node-feature-requests @kubernetes/sig-auth-feature-requests -- are there plans for AppArmor support?
/kind feature /sig auth /unassign @timstclair /assign @tallclair
Hi This enhancement has been tracked before, so we'd like to check in and see if there are any plans for this to graduate stages in Kubernetes 1.13. This release is targeted to be more ‘stable’ and will have an aggressive timeline. Please only include this enhancement if there is a high level of confidence it will meet the following deadlines:
- Docs (open placeholder PRs): 11/8
- Code Slush: 11/9
- Code Freeze Begins: 11/15
- Docs Complete and Reviewed: 11/27
Please take a moment to update the milestones on your original post for future tracking and ping @kacole2 if it needs to be included in the 1.13 Enhancements Tracking Sheet
Thanks!
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale
Enhancement issues opened in kubernetes/enhancements should never be marked as frozen.
Enhancement Owners can ensure that enhancements stay fresh by consistently updating their states across release cycles.
/remove-lifecycle frozen
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /close
@fejta-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity. Reopen the issue with
/reopen. Mark the issue as fresh with/remove-lifecycle rotten.Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
It might be useful to mark this feature as rotten, as it's been stuck in beta for too long, but IMO enhancements that have been merged into kubernetes should not be closed unless they are completed (GA) or deprecated & removed.
I have the beginnings of a plan to bring it to GA, but it might be a stretch to get to it in 1.16. I'll try to get a proposal out by enhancements freeze though.
@tallclair Do you think think theres going to be any activity for this in the 1.17 release?
I was hoping to get this to GA alongside seccomp in v1.17, but I'm probably only going to have time to do 1 (seccomp). If anyone else is interested in picking this up, I'd be happy to provide some pointers. Otherwise, I expect GA to happen in v1.18
Noted. Will keep tabs on the thread in case anyone picks it up. Thanks for the update!
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale
