Skip to content

regression(chart): #481 AppArmor default-on breaks install-bench on AppArmor-less hosts #492

Description

@trilamsr

Problem

PR #481 (AppArmor RuntimeDefault) merged with securityHardening.appArmorProfile.enabled: true as default in values.yaml. install-bench CI runs on ubuntu-latest GitHub runners which do NOT have AppArmor enabled on the host. Pod is rejected with:

Status: Failed
Reason: AppArmor
Message: Pod was rejected: Cannot enforce AppArmor: AppArmor is not enabled on the host

Failing CI jobs: install-bench (ubuntu-latest), install (kind), upgrade (kind), verify-lint, verify. Affects PR #491, #484, #479, #431 + any new PR.

Root cause

Default-on AppArmor RuntimeDefault in values.yaml violates the "chart renders on a vanilla cluster" contract. The defense-in-depth posture is correct for production-preset (values-production.yaml), but the default values must work on bare ubuntu-latest.

Fix

Pick one:

  • (a) Flip values.yaml default securityHardening.appArmorProfile.enabled to false. Keep production-preset at true. CHART contract restored.
  • (b) Add a Capabilities-style preflight that probes host AppArmor before emitting the structured field — but K8s NetworkPolicy / pod-securityContext don't have a Capabilities probe at template time, so this is non-trivial.
  • (c) Add documented opt-in path + remove default-on. Document in chart README that production-preset enables it.

Pick (a) — minimal viable fix. Default-on for hardening features should require operator-explicit opt-in per chart hygiene best practice.

Acceptance

  • values.yaml default flipped to enabled: false.
  • values-production.yaml retains enabled: true.
  • helm template install/kubernetes/tracecore (default values) renders WITHOUT AppArmor field/annotation.
  • install-bench passes on ubuntu-latest again.
  • README clarified: AppArmor hardening is production-preset feature, opt-in for default.

Refs

PR #481 (regression source), PR #491 / #484 / #479 / #431 (blocked).

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions