Skip to content

Commit

Permalink
Strict patch
Browse files Browse the repository at this point in the history
  • Loading branch information
neoaggelos authored and k8s-bot committed Apr 25, 2024
1 parent 2217a2a commit 347d5ae
Show file tree
Hide file tree
Showing 4 changed files with 173 additions and 8 deletions.
2 changes: 1 addition & 1 deletion build-scripts/print-patches-for.py
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@

DIR = Path(__file__).absolute().parent

PATCH_DIRS = ["patches"]
PATCH_DIRS = ["patches", "strict-patches"]


class Version:
Expand Down
6 changes: 5 additions & 1 deletion k8s/hack/init.sh
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
#!/usr/bin/env bash

# no-op for classic confinement
DIR=`realpath $(dirname "${0}")`

# Initialize node for integration tests
"${DIR}/connect-interfaces.sh"
"${DIR}/network-requirements.sh"
5 changes: 0 additions & 5 deletions k8s/wrappers/services/containerd
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,4 @@ You can try to apply the profile manually by running:
"
fi

# Re-exec outside of apparmor confinement
if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then
exec aa-exec -p unconfined -- "$0" "$@"
fi

k8s::common::execute_service containerd
168 changes: 167 additions & 1 deletion snap/snapcraft.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ description: |-
on any infrastructure
license: GPL-3.0
grade: stable
confinement: classic
confinement: strict
base: core20
environment:
REAL_PATH: $PATH
Expand Down Expand Up @@ -216,6 +216,20 @@ parts:
apps:
k8s:
command: k8s/wrappers/commands/k8s
plugs:
- firewall-control
- home-read-all
- home
- kernel-module-observe
- kubernetes-support
- login-session-observe
- log-observe
- mount-observe
- network
- network-control
- network-observe
- opengl
- system-observe
containerd:
command: k8s/wrappers/services/containerd
daemon: notify
Expand All @@ -226,43 +240,195 @@ apps:
restart-condition: always
start-timeout: 5m
before: [kubelet]
plugs:
- network-bind
- docker-privileged
- firewall-control
- network-control
- mount-observe
- kubernetes-support
- cilium-module-load
- opengl
- cifs-mount
- fuse-support
- kernel-crypto-api
k8s-dqlite:
command: k8s/wrappers/services/k8s-dqlite
install-mode: disable
daemon: simple
before: [kube-apiserver]
plugs:
- network-bind
k8sd:
command: k8s/wrappers/services/k8sd
install-mode: enable
daemon: simple
# FIXME: we keep 'kubernetes-support' because 'mount-observe' is not sufficient for some reason, investigate
plugs:
- network
- network-bind
- mount-observe
- kubernetes-support
kubelet:
install-mode: disable
command: k8s/wrappers/services/kubelet
daemon: simple
after: [containerd]
plugs:
- docker-privileged
- firewall-control
- hardware-observe
- kubernetes-support
- mount-observe
- network-bind
- network-observe
- network-control
- process-control
- system-observe
- opengl
- kernel-module-observe
kube-apiserver:
install-mode: disable
command: k8s/wrappers/services/kube-apiserver
daemon: simple
before: [kubelet, kube-controller-manager, kube-proxy, kube-scheduler]
stop-timeout: 5s
plugs:
- docker-privileged
- firewall-control
- hardware-observe
- kubernetes-support
- mount-observe
- network-bind
- network-observe
- network-control
- process-control
- system-observe
- opengl
- kernel-module-observe
kube-controller-manager:
install-mode: disable
command: k8s/wrappers/services/kube-controller-manager
daemon: simple
after: [kube-apiserver]
plugs:
- docker-privileged
- firewall-control
- hardware-observe
- kubernetes-support
- mount-observe
- network-bind
- network-observe
- network-control
- process-control
- system-observe
- opengl
- kernel-module-observe
kube-proxy:
install-mode: disable
command: k8s/wrappers/services/kube-proxy
daemon: simple
after: [kube-apiserver]
plugs:
- docker-privileged
- firewall-control
- hardware-observe
- kubernetes-support
- mount-observe
- network-bind
- network-observe
- network-control
- process-control
- system-observe
- opengl
- kernel-module-observe
kube-scheduler:
install-mode: disable
command: k8s/wrappers/services/kube-scheduler
daemon: simple
after: [kube-apiserver]
plugs:
- docker-privileged
- firewall-control
- hardware-observe
- kubernetes-support
- mount-observe
- network-bind
- network-observe
- network-control
- process-control
- system-observe
- opengl
- kernel-module-observe
k8s-apiserver-proxy:
install-mode: disable
command: k8s/wrappers/services/k8s-apiserver-proxy
daemon: simple
before: [kubelet, kube-proxy]
plugs:
- network-bind

layout:
# Kubernetes paths
/etc/kubernetes:
bind: $SNAP_COMMON/etc/kubernetes
/etc/cni/net.d:
bind: $SNAP_COMMON/etc/cni/net.d
/opt/cni/bin:
bind: $SNAP_COMMON/opt/cni/bin
/var/lib/kubelet:
bind: $SNAP_COMMON/var/lib/kubelet
# Logs and temporary files
/var/log/pods:
bind: $SNAP_COMMON/var/log/pods
/var/log/containers:
bind: $SNAP_COMMON/var/log/containers
# CNI
/var/lib/cni:
bind: $SNAP_COMMON/var/lib/cni
/var/lib/calico:
bind: $SNAP_COMMON/var/lib/calico
# Extras
/usr/local:
bind: $SNAP_COMMON/usr/local
# TBD (maybe not required)
/usr/libexec:
bind: $SNAP_COMMON/usr/libexec
/var/lib/kube-proxy:
bind: $SNAP_COMMON/var/lib/kube-proxy
/etc/service/enabled:
bind: $SNAP_COMMON/etc/service/enabled
/etc/nanorc:
bind-file: $SNAP_COMMON/etc/nanorc

plugs:
home-read-all:
interface: home
read: all
docker-privileged:
interface: docker-support
privileged-containers: true
docker-unprivileged:
interface: docker-support
privileged-containers: false
# Cilium Ingress requires and loads iptable_raw and xt_socket modules
# If these modules are not loaded, ingress responses return 503 Service Unavailable
# since datapath L7 redirection does not work correctly.
# https://github.com/cilium/cilium/blob/1ab043d546e52fb2428300e6c6ea35fa3bd7c711/install/kubernetes/cilium/values.yaml#L792-L796
# https://github.com/cilium/cilium/issues/25021#issuecomment-1699969830
cilium-module-load:
interface: kernel-module-load
modules:
- name: iptable_raw
load: "on-boot"
- name: xt_socket
load: "on-boot"

hooks:
remove:
plugs:
- network
- network-bind
- process-control
- network-control
- firewall-control

0 comments on commit 347d5ae

Please sign in to comment.