Problem
PR #481 (AppArmor RuntimeDefault) merged with securityHardening.appArmorProfile.enabled: true as default in values.yaml. install-bench CI runs on ubuntu-latest GitHub runners which do NOT have AppArmor enabled on the host. Pod is rejected with:
Status: Failed
Reason: AppArmor
Message: Pod was rejected: Cannot enforce AppArmor: AppArmor is not enabled on the host
Failing CI jobs: install-bench (ubuntu-latest), install (kind), upgrade (kind), verify-lint, verify. Affects PR #491, #484, #479, #431 + any new PR.
Root cause
Default-on AppArmor RuntimeDefault in values.yaml violates the "chart renders on a vanilla cluster" contract. The defense-in-depth posture is correct for production-preset (values-production.yaml), but the default values must work on bare ubuntu-latest.
Fix
Pick one:
- (a) Flip
values.yaml default securityHardening.appArmorProfile.enabled to false. Keep production-preset at true. CHART contract restored.
- (b) Add a
Capabilities-style preflight that probes host AppArmor before emitting the structured field — but K8s NetworkPolicy / pod-securityContext don't have a Capabilities probe at template time, so this is non-trivial.
- (c) Add documented opt-in path + remove default-on. Document in chart README that production-preset enables it.
Pick (a) — minimal viable fix. Default-on for hardening features should require operator-explicit opt-in per chart hygiene best practice.
Acceptance
values.yaml default flipped to enabled: false.
values-production.yaml retains enabled: true.
helm template install/kubernetes/tracecore (default values) renders WITHOUT AppArmor field/annotation.
- install-bench passes on ubuntu-latest again.
- README clarified: AppArmor hardening is production-preset feature, opt-in for default.
Refs
PR #481 (regression source), PR #491 / #484 / #479 / #431 (blocked).
Problem
PR #481 (AppArmor RuntimeDefault) merged with
securityHardening.appArmorProfile.enabled: trueas default invalues.yaml. install-bench CI runs on ubuntu-latest GitHub runners which do NOT have AppArmor enabled on the host. Pod is rejected with:Failing CI jobs: install-bench (ubuntu-latest), install (kind), upgrade (kind), verify-lint, verify. Affects PR #491, #484, #479, #431 + any new PR.
Root cause
Default-on AppArmor RuntimeDefault in
values.yamlviolates the "chart renders on a vanilla cluster" contract. The defense-in-depth posture is correct for production-preset (values-production.yaml), but the default values must work on bare ubuntu-latest.Fix
Pick one:
values.yamldefaultsecurityHardening.appArmorProfile.enabledtofalse. Keep production-preset attrue. CHART contract restored.Capabilities-style preflight that probes host AppArmor before emitting the structured field — but K8s NetworkPolicy / pod-securityContext don't have a Capabilities probe at template time, so this is non-trivial.Pick (a) — minimal viable fix. Default-on for hardening features should require operator-explicit opt-in per chart hygiene best practice.
Acceptance
values.yamldefault flipped toenabled: false.values-production.yamlretainsenabled: true.helm template install/kubernetes/tracecore(default values) renders WITHOUT AppArmor field/annotation.Refs
PR #481 (regression source), PR #491 / #484 / #479 / #431 (blocked).