Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade K8S Dependencies to Support AppArmor Configuration in Pod Specs #669

Open
liymike opened this issue Dec 3, 2024 · 1 comment
Open

Upgrade K8S Dependencies to Support AppArmor Configuration in Pod Specs #669

liymike opened this issue Dec 3, 2024 · 1 comment
Labels
kind/bug Something isn't working

Comments

@liymike
Copy link

liymike commented Dec 3, 2024
edited
Loading

What happened:

I have encountered an issue where the AppArmor configurations specified in the Pod specifications are not being applied. This appears to be due to the current Kubernetes version used in hami project, which does not support defining AppArmor profiles within the securityContext of Pods or containers.

Starting from Kubernetes v1.30, AppArmor profiles can be specified directly in the securityContext field of Pods and containers, simplifying the configuration process. In earlier versions, AppArmor settings were applied using annotations, which is now deprecated.

securityContext:
  appArmorProfile:
    type: Unconfined

What you expected to happen:

To resolve this issue and enable proper AppArmor configuration, I recommend upgrading the following dependencies. This upgrade will allow the use of the appArmorProfile field within the securityContext, ensuring that AppArmor settings are correctly applied to Pods and containers.

k8s.io/api v0.29.3 -> v0.31.1+
k8s.io/apimachinery v0.29.3 -> v0.31.1+
k8s.io/client-go v0.29.3 -> v0.31.1+
k8s.io/kube-scheduler v0.28.3 -> v0.31.1+
k8s.io/kubelet v0.29.3 -> v0.31.1 +

How to reproduce it (as minimally and precisely as possible):

  1. Deploy Cilium CNI on a Kubernetes 1.30 or 1.31 Cluster:
  • Install the Cilium CNI plugin on your Kubernetes cluster running version 1.30 or 1.31.
  • After deployment, inspect the securityContext of the Cilium Pods to verify the presence of AppArmor configurations.
  1. Deploy the Hami Scheduler:
  • Set up the Hami Scheduler in your cluster.
  1. Delete a Cilium Pod and Wait for Recreation:
  • Manually delete any Cilium Pod using kubectl delete pod .
  • Wait for Kubernetes to automatically recreate the Pod.
  1. Inspect the Newly Created Cilium Pod:
  • Examine the securityContext of the newly created Cilium Pod.
  • Observe that the AppArmor configuration is missing from the securityContext.

Anything else we need to know?:

Environment:

  • HAMi version: 2.3.13
  • nvidia driver or other AI device driver version:
  • Docker version from docker version
  • Docker command, image and tag used
  • Kernel version from uname -a
  • Others:
@liymike liymike added the kind/bug Something isn't working label Dec 3, 2024
@archlitchi
Copy link
Collaborator

thanks, we will upgrade these go modules next version, btw, you are always welcome to submit a PR to fix that yourself :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@liymike @archlitchi