feat(chart): version-gated AppArmor RuntimeDefault on DaemonSet (M5b)#481
Merged
Conversation
Restricted PSS permits an undefined AppArmor profile, so the chart was
compliant today; explicit RuntimeDefault narrows the syscall surface a
compromised receiver could reach against the read-only /dev/kmsg +
journald hostPath mounts and removes one item from adopter security
checklists. Triggered proactively (sibling to L31 production-preset
hardening) rather than waiting for the M5b follow-up trigger
("kubeVersion floor moves to >=1.30, or first adopter asks").
Version-gating: the structured pod.securityContext.appArmorProfile
field is GA in K8s 1.30+; on 1.28 / 1.29 (chart kubeVersion floor
>=1.28.0-0) the legacy
`container.apparmor.security.beta.kubernetes.io/<container>` pod
annotation carries the same intent. The template auto-selects via
semverCompare against .Capabilities.KubeVersion.Version; operators do
not pick the form. Toggle securityHardening.appArmorProfile.enabled
(default true) opts out; type=Localhost + localhostProfile wires a
node-preloaded custom profile (fails closed if profile name missing).
Verified locally with helm v4.2.0 + conftest dev/OPA 1.15.2:
- helm lint default + production: zero WARNINGs
- helm template default @ 1.30 / 1.28: renders structured / legacy
- helm template production @ 1.30 / 1.28: renders structured / legacy
- conftest default @ 1.30 / 1.28: 52/52 passed each
- conftest production @ 1.30 / 1.28: 91/91 passed each
- toggle off @ 1.30 / 1.28: neither code path renders
- type=Localhost without profile: fails closed with operator-visible error
- values.schema.json rejects bad type values
Cross-links: docs/threat-model.md §B1 (elevation row gains AppArmor
mitigation), install/kubernetes/tracecore/README.md §Defense-in-depth.
Closes docs/followups/M5b.md appArmor item.
Signed-off-by: Tri Lam <tree@lumalabs.ai>
Doc-check pre-push gate rejected the section-banner added in the prior commit (`# --- defense-in-depth: AppArmor RuntimeDefault ... ---`) because banner comments rot in long-lived files per STYLE.md. Existing banners in the file are grandfathered; new lines are not. Substance is unchanged — the rationale prose remains. Signed-off-by: Tri Lam <tree@lumalabs.ai>
Contributor
Author
Independent Adversarial Review: PR #481Grade: A (→ A+ after one doc fix)TDD verified. Six-way falsifier sweep covers both code paths (K8s 1.30+ structured field, 1.28/29 legacy annotation), both toggle states (enabled/disabled), failure-closed path (Localhost without localhostProfile), and custom profile path. semverCompare(">=1.30.0-0", version) correctly gates pre-release and GA 1.30 builds. Schema enum guard on FindingsCI documentation bug: Optional simplification: Cross-links✓ M5b.md appArmor checkbox flipped to [x] Logic
After the CI comment fix: approve for auto-merge. |
Signed-off-by: Tri Lam <tree@lumalabs.ai>
Contributor
Author
|
Nit fix: 'Five' → 'Six' mutation checks. Re-requesting review for A+. |
This was referenced Jun 2, 2026
trilamsr
added a commit
that referenced
this pull request
Jun 2, 2026
## Summary PR #481 shipped `securityHardening.appArmorProfile.enabled: true` as the default in `install/kubernetes/tracecore/values.yaml`. Kubelet rejects pod-create when `pod.securityContext.appArmorProfile` references a profile the host cannot resolve, so the chart no longer installs on AppArmor-less nodes — including the ubuntu-latest GitHub Actions runner image (AppArmor dropped post-2024) and RHEL/SELinux production hosts. install-bench regressed; PRs #491, #484, #479, #431 are blocked behind this. This PR implements option (a) from #492: flip the default to opt-in. `values-production.yaml` keeps `enabled: true` since AppArmor-equipped Linux clusters (the production target) ship `RuntimeDefault` via containerd / CRI-O. ## Root cause Default-on AppArmor in `values.yaml` violated the chart contract that the default render installs on a vanilla cluster. The defense-in-depth posture is correct for production-preset users; it was wrong as the unconditional default. PR #481 didn't add a CI gate to assert "default render installs on a host without AppArmor", so the regression escaped review. ## Changes - `install/kubernetes/tracecore/values.yaml`: `securityHardening.appArmorProfile.enabled: true` -> `false`; in-line guidance reflects opt-in posture and names the failing-host classes (CI runners, RHEL/SELinux). - `install/kubernetes/tracecore/values-production.yaml`: unchanged — production preset still hardens with `enabled: true`. - `install/kubernetes/tracecore/README.md`: defaults table + Defense-in-depth section explain the opt-in posture, point operators at `values-production.yaml` for the prior behavior, and link #492. - `.github/workflows/chart.yml`: AppArmor mutation tests reshuffled from 6 to 8 cases. T1/T2 now assert default render emits **no** AppArmor field or annotation on K8s 1.30 + 1.28 (regression-prevent for #492). T3/T4 cover the opt-in path (`--set enabled=true`) and pin pre-#492 production-preset behavior. T7/T8 explicitly pass `--set enabled=true` so the Localhost-profile contract still fires under the new default. Production-preset assertion (`appArmorProfile.type=RuntimeDefault` from `values-production.yaml`) is untouched. ## Backward compatibility **Behavior change for default-values users.** Operators who installed via `helm install ... install/kubernetes/tracecore` (no production preset) and depended on the AppArmor hardening that #481 added will see it disappear on next upgrade. Two ways to keep the prior behavior: ```bash # Option 1 — adopt the production preset (recommended). helm upgrade demo install/kubernetes/tracecore \ --values install/kubernetes/tracecore/values-production.yaml # Option 2 — keep your current values, just flip the flag. helm upgrade demo install/kubernetes/tracecore \ --set securityHardening.appArmorProfile.enabled=true ``` Operators who relied on the chart's documented default (#481 was three days old; opt-in is the chart-hygiene norm for defense-in-depth knobs) get a quieter install on AppArmor-less hosts. ## Test plan - [x] `helm lint install/kubernetes/tracecore` — 0 warnings. - [x] `helm template ... --kube-version 1.30.0 --show-only templates/daemonset.yaml | grep -i apparmor` — empty (default render has no AppArmor). - [x] Same with `--kube-version 1.28.0` — empty. - [x] `helm template ... --values values-production.yaml --kube-version 1.30.0` — renders `appArmorProfile.type: RuntimeDefault` (production preset unchanged). - [x] `helm template ... --set securityHardening.appArmorProfile.enabled=true --kube-version 1.30.0` — renders structured field (opt-in works). - [x] All 8 mutation tests in `.github/workflows/chart.yml` AppArmor step run locally and pass. - [x] conftest: 52/52 default render, 91/91 production render. - [x] actionlint: 0 issues on `chart.yml`. - [x] Pre-commit (golangci-lint, vet, attribute-namespace-check, test-flake-audit) — all green. - [ ] CI: chart workflow turns green on this PR. - [ ] CI: install-bench turns green on this PR (and unblocks #491 / #484 / #479 / #431 once merged). ## Refs Closes #492 (refs #481). ```release-notes **Breaking (default-values users only).** `securityHardening.appArmorProfile.enabled` now defaults to `false` in `values.yaml` so the chart installs on AppArmor-less nodes (CI runners, RHEL/SELinux). The `values-production.yaml` preset still ships `enabled: true` — production Linux clusters that package the `RuntimeDefault` profile (every distro with containerd / CRI-O) keep the hardening when they layer that preset. Operators upgrading default-values installs who want the prior behavior can either adopt `values-production.yaml` or set `--set securityHardening.appArmorProfile.enabled=true`. Fixes the install-bench regression introduced in #481. ``` Signed-off-by: Tri Lam <tree@lumalabs.ai>
This was referenced Jun 2, 2026
trilamsr
added a commit
that referenced
this pull request
Jun 2, 2026
…) (#496) ## Summary `policy-matrix.yml` workflow has been failing on every chart-touching PR (blocked #476, #481, #493) since #475 landed. The chart's production preset (`values-production.yaml`) flips `serviceMonitor.enabled=true`, which renders a `monitoring.coreos.com/v1 ServiceMonitor` resource. Kind clusters don't ship the prometheus-operator CRDs, so `helm install --dry-run=server` exits 1 with: ``` no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1" ensure CRDs are installed first ``` ## Root cause Kind ships only the core Kubernetes API set. `monitoring.coreos.com/v1` is supplied by prometheus-operator, which the policy-matrix kind cluster never installs. The chart's `templates/servicemonitor.yaml` is gated by `.Values.serviceMonitor.enabled` — default `false` (chart stays first-install-compatible on bare clusters), but the production preset enables it (kube-prometheus-stack convention). The policy-matrix gate exercises both default and production presets across PSA / Kyverno / Gatekeeper, so the production rows hit the missing CRD on every run. ## Fix Issue #494 recommended option (a) — install the missing CRD prereq. This PR adds a single workflow step after kind cluster spin-up but before the smoke script: ```yaml - name: Install prometheus-operator ServiceMonitor CRD (issue #494) run: | kubectl apply -f \ "https://github.com/prometheus-operator/prometheus-operator/v0.91.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml" kubectl wait --for=condition=established crd/servicemonitors.monitoring.coreos.com --timeout=60s ``` Design choices: - **Slim CRD (ServiceMonitor only)** vs full prometheus-operator bundle. The chart's production preset references no other `monitoring.coreos.com` kinds. Slim install (~700 lines of YAML) avoids pulling Prometheus, Alertmanager, ThanosRuler, PodMonitor, Probe, PrometheusRule we don't exercise. - **Applied to every matrix row** (not just production). A future flip of the default `serviceMonitor.enabled` toggle cannot silently re-break this gate. - **Pinned to `v0.91.0`** (latest stable, published 2026-05-05). Matches the existing `KYVERNO_POLICIES_REF` / `GATEKEEPER_VERSION` pin convention in `scripts/policy-matrix-smoke.sh`. Bumping is a reviewed code change — never tracks `main`. - **`kubectl wait --for=condition=established`** before the helm dry-run so the apiserver has registered the CRD when the chart template reaches the admission chain (avoids a race where the dry-run hits before discovery refreshes). ## Gatekeeper CRD timing Re-audited — `install_gatekeeper()` in `scripts/policy-matrix-smoke.sh` already polls `kubectl get crd ...constraints.gatekeeper.sh` (line 143-149) and the constraint `byPod[*].enforced` field (line 270-276) before the smoke step exits. The `kubectl get constraints -A || true` in the failure-collection step is diagnostic only and already tolerates absent CRDs. No timing fix needed there. ## Why not install-bench / chart.yml - `install-bench.yml` uses `bench/install/tracecore-values.yaml` which doesn't enable serviceMonitor — same failure shape doesn't apply. - `chart.yml`'s `install` and `upgrade` jobs install with default values (`serviceMonitor.enabled=false`); the `render` job's production-preset check is `helm template` only (no cluster), so no API discovery runs. ## Test plan - [x] `actionlint .github/workflows/policy-matrix.yml` — exit 0 - [x] `actionlint` across all `.github/workflows/` — exit 0 - [x] Pre-push hook suite passed locally (golangci-lint, vet, mod verify, attribute-namespace-check, zizmor, doc-check, alert-check, chart-appversion-check, rfc-status-check, slo-rules-check, deprecation-check, no-autoupdate-check, test-flake-audit) - [ ] policy-matrix workflow runs green on this PR — all 6 matrix rows (psa × default, psa × production, kyverno × default, kyverno × production, gatekeeper × default, gatekeeper × production) plus all 3 mutation rows. Closes #494. ```release-notes ci: install prometheus-operator ServiceMonitor CRD in policy-matrix kind cluster so chart-touching PRs no longer fail on the production preset's ServiceMonitor render ``` Signed-off-by: Tri Lam <tree@lumalabs.ai>
This was referenced Jun 2, 2026
trilamsr
added a commit
that referenced
this pull request
Jun 2, 2026
## Summary Removes `.github/workflows/policy-matrix.yml`. Engine-specific admission validation (PSA-restricted × Kyverno × Gatekeeper × default+production) delivered negative ROI at rc1. ## Root cause 4 PRs blocked or chasing this workflow's flakes (#475 introduction, #481, #498, #501). Caught zero real regressions; only its own infra bugs: - ServiceMonitor CRD bootstrap race (#494) - AppArmor host-capability mismatch (#481 → #493) - kubectl wait .status.conditions nil race (#500 → #501) ## Coverage retained (without policy-matrix) - `conftest` — offline PSS-baseline + restricted validation. - `helm lint` — chart structural validation. - `kubeconform` — K8s API conformance. - `kubectl apply --dry-run=server` (chart.yml install/upgrade jobs) — API-level breakage on generic kind cluster. ## What stays in tree - `scripts/policy-matrix-smoke.sh` + Gatekeeper/Kyverno bundle refs — cheap reactivation when GA triggers fire. - `install/kubernetes/tracecore/policies/conftest/**` — offline policy bundle (still active). ## Re-enable triggers (tracked in #502) - GA criterion #1 (third-party audit) requests engine-specific compat validation. - First operator running under Kyverno/Gatekeeper reports admission rot. - CRD-bootstrap pattern stabilises across other workflows. ## Test plan - [x] `make doc-check` exit 0 (post comment-edit in kind-cluster-setup action.yml). - [x] No remaining policy-matrix.yml references in repo (verified by grep). - [x] Pre-commit hooks green (lint/vet/mod-verify/attribute-namespace). - [x] README + install-bench stale refs scrubbed (follow-up commit). ```release-notes ci: defer engine-specific policy-matrix workflow (PSA × Kyverno × Gatekeeper admission validation) to GA. Coverage retained via conftest + helm lint + kubeconform + kubectl apply --dry-run=server. Re-enable tracked in #502. ``` Refs #502 #475 #494 #500. --------- Signed-off-by: Tri Lam <tree@lumalabs.ai>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
appArmorProfile: { type: RuntimeDefault }on the DaemonSet pod via newsecurityHardening.appArmorProfilevalues key (defaultenabled: true). On Kubernetes 1.30+ emits the GA structuredpod.securityContext.appArmorProfilefield; on 1.28 / 1.29 (chartkubeVersionfloor>=1.28.0-0) falls back to the legacycontainer.apparmor.security.beta.kubernetes.io/<container>: runtime/defaultpod annotation. Auto-selected viasemverCompareagainst.Capabilities.KubeVersion.Version; operators do not pick the form.install/kubernetes/tracecore/README.md§"Defense-in-depth above restricted-PSS" and a new STRIDE elevation row underdocs/threat-model.md§B1 (host filesystem reads)..github/workflows/chart.ymlexercises six falsifiers: default render @ 1.30 (structured field, no annotation), default render @ 1.28 (legacy annotation, no structured field), toggle-off @ 1.30 and @ 1.28 (neither code path renders),type: LocalhostwithoutlocalhostProfile(fails closed with operator-visible error), andtype: Localhostwith profile (custom path renders through). The production-preset CI step also asserts the structured field at the embedded helm kubeVersion. Closes the appArmor item indocs/followups/M5b.md.Root cause
Restricted PSS permits an undefined AppArmor profile, so the chart was compliant today — but stricter-local-policy clusters and adopter security checklists flag the absence. The chart didn't pin a defense-in-depth layer that costs nothing on Linux nodes. Shipped proactively (sibling to L31 production-preset hardening) rather than waiting for the M5b follow-up trigger ("kubeVersion floor moves to >=1.30, or first adopter asks").
Local verification
Ran end-to-end against
helm v4.2.0+conftest dev / OPA 1.15.2locally:helm lint install/kubernetes/tracecore+helm lint -f values-production.yaml— both zero WARNINGs.helm template --kube-version 1.30.0and--kube-version 1.28.0for both default values and the production preset — all four exit 0.conftest test --policy policies/conftest/tracecore.regoagainst all four renders —52/52 + 52/52 + 91/91 + 91/91tests passed.bad-*.yamlfixtures still denied;good-baseline.yaml+good-sys-ptrace.yamlstill passed.type: LocalhostwithoutlocalhostProfile→ render fails closed withlocalhostProfile to be setmessage;type: Localhostwith profile → structured field carries custom path.values.schema.jsonrejectstype: BadValuewith the upstream JSON-schema enum error.golangci-lint,go vet,go mod verify,attribute-namespace-check) and pre-push hooks (doc-check,no-autoupdate-check) all green.Test plan
chart / renderstep passes the new M5b appArmor falsifier.chart / renderproduction-preset assertion lights up (structured field at embedded helm kubeVersion).chart / install (kind)rolls clean — kind clusters in CI run K8s ≥1.30, so the structured field path is the one exercised at install time.Cross-links
docs/followups/M5b.mdappArmor item — flipped to[x]with link back to this PR's chart README + threat-model anchors.docs/threat-model.md§B1 — gains an Elevation STRIDE row naming AppArmorRuntimeDefaultas the defense-in-depth above restricted-PSS for the/dev/kmsg+ journald hostPath surface.install/kubernetes/tracecore/README.md§Defense-in-depth above restricted-PSS — operator-facing explanation of which form renders per kubeVersion.Grade
A+: TDD-verified six-way falsifier sweep covers both code paths and the failure-closed path. Defaults-on with explicit opt-out; sibling-style with
tls/networkPolicy/podDisruptionBudgettoggle conventions in the existing chart. Threat-model row, README §security cross-link, schema enum guard, and production-preset duplicate-render assertion all wired. Closes the M5b appArmor follow-up without breaking the default render on any supported kubeVersion.