Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KEP-24: Graduate Kubernetes' support for AppArmor to GA. #47023

Merged
merged 1 commit into from
Jul 25, 2024
Merged

KEP-24: Graduate Kubernetes' support for AppArmor to GA. #47023

merged 1 commit into from
Jul 25, 2024

Conversation

vinayakankugoyal
Copy link
Contributor

Update the feature gate for AppArmor to Stable stage for 1.31.

With kubernetes/kubernetes#125257 we will be graduating the AppArmor support to GA aka stable. This PR updates the docs to reflect that.

xref kubernetes/enhancements#24

@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 28, 2024
@k8s-ci-robot k8s-ci-robot added this to the 1.31 milestone Jun 28, 2024
@k8s-ci-robot k8s-ci-robot added area/localization General issues or PRs related to localization cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. language/zh Issues or PRs related to Chinese language sig/docs Categorizes an issue or PR as relevant to SIG Docs. labels Jun 28, 2024
@vinayakankugoyal
Copy link
Contributor Author

/cc @tallclair

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jun 28, 2024
@netlify Netlify
Copy link

netlify bot commented Jun 28, 2024
edited
Loading

👷 Deploy Preview for kubernetes-io-vnext-staging processing.

Name Link
🔨 Latest commit 87a7055
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/66a18b792dc6790008b91988

@netlify Netlify
Copy link

netlify bot commented Jun 28, 2024
edited
Loading

Pull request preview available for checking

Built without sensitive environment variables

Name Link
🔨 Latest commit 87a7055
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/66a18b79dbe2b10008e722ce
😎 Deploy Preview https://deploy-preview-47023--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

dipesh-rawat
dipesh-rawat reviewed Jun 28, 2024
View reviewed changes
Copy link
Member

@dipesh-rawat dipesh-rawat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vinayakankugoyal Currently, it appears that this PR is modifying the Chinese localization feature gate file, which is incorrect. This change should be applied to the 'AppArmor ' feature gate description file in English. Please make the necessary correction.

Location for file to be changed: content/en/docs/reference/command-line-tools-reference/feature-gates/apparmor.md

@k8s-ci-robot k8s-ci-robot added the language/en Issues or PRs related to English language label Jun 29, 2024
@dipesh-rawat
Copy link
Member

/remove-language zh
/remove-area localization

@k8s-ci-robot k8s-ci-robot removed language/zh Issues or PRs related to Chinese language area/localization General issues or PRs related to localization labels Jun 29, 2024
@sftim
Copy link
Contributor

sftim commented Jul 1, 2024

Some early feedback: there are other details we expect to see covered ahead of graduation.

Please see:

and check whether https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ needs any update for GA.

@vinayakankugoyal
Copy link
Contributor Author

Some early feedback: there are other details we expect to see covered ahead of graduation.

Please see:

With the new field all annotation based mechanisms are considered deprecated.

That also does not mention other security controls like runAsUser, seccomp but does mention PSS. PSS already has controls for appArmor.

That also does not mention other security controls like runAsUser, seccomp but does mention PSS. PSS already has controls for appArmor.

Good catch! lets fix that in this PR.

and check whether https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ needs any update for GA.

AFAIK no clean up steps are required. Good call on updating https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 3, 2024
@sftim
Copy link
Contributor

sftim commented Jul 3, 2024

With the new field all annotation based mechanisms are considered deprecated.

Even so, we expect docs (yes, it should have been done for beta, but the thing still needs documenting). We want this partly for formally telling people that there is a new mechanism, and partly because we "register" annotations by documenting them.

@vinayakankugoyal
Copy link
Contributor Author

With the new field all annotation based mechanisms are considered deprecated.

Even so, we expect docs (yes, it should have been done for beta, but the thing still needs documenting). We want this partly for formally telling people that there is a new mechanism, and partly because we "register" annotations by documenting them.

That annotation is only PSP specific AFAIK. It was a means of specifying what profile should be applied to containers in the event they don't have a profile specified. Support for PSP has long since been deprecated (removed?) and you won't find any reference to that annotation in kubernetes except for PSP docs (which is where it should live?).

@sftim
Copy link
Contributor

sftim commented Jul 5, 2024

That annotation is only PSP specific AFAIK. It was a means of specifying what profile should be applied to containers in the event they don't have a profile specified. Support for PSP has long since been deprecated (removed?) and you won't find any reference to that annotation in kubernetes except for PSP docs (which is where it should live?).

The place to register it is Well-Known Labels, Annotations and Taints, honestly. That's a list of all the registered labels, annotations and taints for the Kubernetes project.

@Princesso
Copy link
Contributor

Hi @vinayakankugoyal since this PR is ready for review, can you remove the draft status? We need to PR in the ready-for-review status before Tuesday, July 16th, 2024 18:00 PST. Thank you!

@vinayakankugoyal vinayakankugoyal marked this pull request as ready for review July 9, 2024 15:29
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 9, 2024
SergeyKanzhelev
SergeyKanzhelev reviewed Jul 24, 2024
View reviewed changes
Copy link
Member

@SergeyKanzhelev SergeyKanzhelev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also not sure why this example is still using annotations:

website/content/en/examples/policy/restricted-psp.yaml

Line 8 in 30026fa

apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'

Maybe change it to fields.

content/en/docs/tasks/configure-pod-container/security-context.md Outdated Show resolved Hide resolved
content/en/docs/tasks/configure-pod-container/security-context.md Show resolved Hide resolved
@vinayakankugoyal
Copy link
Contributor Author

Also not sure why this example is still using annotations:

website/content/en/examples/policy/restricted-psp.yaml

Line 8 in 30026fa

apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'

Maybe change it to fields.

PSP has long been deprecated, maybe we should consider removing those docs completely, but we should do so in a separate PR.

SergeyKanzhelev
SergeyKanzhelev approved these changes Jul 24, 2024
View reviewed changes
Copy link
Member

@SergeyKanzhelev SergeyKanzhelev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 24, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 62d919ce978bdd64d57409cae1e7ed557750dc57

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 24, 2024
@tengqm
Copy link
Contributor

tengqm commented Jul 25, 2024

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SergeyKanzhelev, tengqm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 25, 2024
@SergeyKanzhelev
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 25, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 739a68af5218af3bb531be72b9864f27892e1d90

@k8s-ci-robot k8s-ci-robot merged commit 01a668b into kubernetes:dev-1.31 Jul 25, 2024
6 checks passed
@everpeace everpeace mentioned this pull request Aug 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dipesh-rawat dipesh-rawat dipesh-rawat left review comments

@mengjiao-liu mengjiao-liu Awaiting requested review from mengjiao-liu

@tanjunchen tanjunchen Awaiting requested review from tanjunchen

@tallclair tallclair Awaiting requested review from tallclair

@mickeyboxell mickeyboxell Awaiting requested review from mickeyboxell

@thockin thockin Awaiting requested review from thockin

@SergeyKanzhelev SergeyKanzhelev Awaiting requested review from SergeyKanzhelev

Assignees

@SergeyKanzhelev SergeyKanzhelev

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. language/en Issues or PRs related to English language lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/docs Categorizes an issue or PR as relevant to SIG Docs. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
1.31
Development

Successfully merging this pull request may close these issues.
7 participants
@vinayakankugoyal @dipesh-rawat @sftim @Princesso @k8s-ci-robot @tengqm @SergeyKanzhelev