fix: container.apparmor.security.beta.kubernetes.io deprecated

steadybit · Aug 30, 2024 · 6ea85fe · 6ea85fe
1 parent d72dca9
commit 6ea85fe
Show file tree

Hide file tree

Showing 4 changed files with 134 additions and 1 deletion.
diff --git a/charts/steadybit-extension-host/Chart.yaml b/charts/steadybit-extension-host/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: steadybit-extension-host
 description: Steadybit host extension Helm chart for Kubernetes.
-version: 1.1.19
+version: 1.1.20
 appVersion: v1.2.21
 home: https://www.steadybit.com/
 icon: https://steadybit-website-assets.s3.amazonaws.com/logo-symbol-transparent.png

diff --git a/charts/steadybit-extension-host/templates/daemonset.yaml b/charts/steadybit-extension-host/templates/daemonset.yaml
@@ -32,7 +32,9 @@ spec:
  {{- toYaml . | nindent 8 }}
  {{- end }}
  annotations:
+ {{- if semverCompare "<1.30" .Capabilities.KubeVersion.Version}}
  "container.apparmor.security.beta.kubernetes.io/{{ include "extensionlib.names.name" . }}": unconfined
+ {{- end }}
  {{- include "extensionlib.annotation" (list . .Values.containerPorts.http (list "ACTION" "DISCOVERY") ) | nindent 8 }}
  oneagent.dynatrace.com/injection: "false"
  {{- with .Values.podAnnotations }}
@@ -109,6 +111,10 @@ spec:
  path: /health/readiness
  port: {{ .Values.containerPorts.health }}
  securityContext:
+ {{- if semverCompare ">=1.30" .Capabilities.KubeVersion.Version}}
+ appArmorProfile:
+ type: Unconfined
+ {{- end }}
  seccompProfile:
  type: Unconfined
  capabilities:

diff --git a/charts/steadybit-extension-host/tests/__snapshot__/daemonset_test.yaml.snap b/charts/steadybit-extension-host/tests/__snapshot__/daemonset_test.yaml.snap
@@ -245,6 +245,124 @@ manifest should match snapshot with TLS:
  rollingUpdate:
  maxUnavailable: 1
  type: RollingUpdate
+manifest should match snapshot with appArmorProfile for k8s >= 1.30:
+ 1: |
+ apiVersion: apps/v1
+ kind: DaemonSet
+ metadata:
+ labels:
+ steadybit.com/discovery-disabled: "true"
+ steadybit.com/extension: "true"
+ name: RELEASE-NAME-steadybit-extension-host
+ namespace: NAMESPACE
+ spec:
+ selector:
+ matchLabels:
+ app: steadybit-extension-host
+ app.kubernetes.io/name: steadybit-extension-host
+ template:
+ metadata:
+ annotations:
+ oneagent.dynatrace.com/injection: "false"
+ steadybit.com/extension-auto-discovery: |
+ {"extensions":[{"port":8085,"protocol":"http","types":["ACTION","DISCOVERY"]}]}
+ labels:
+ app: steadybit-extension-host
+ app.kubernetes.io/name: steadybit-extension-host
+ steadybit.com/discovery-disabled: "true"
+ steadybit.com/extension: "true"
+ spec:
+ containers:
+ - env:
+ - name: STEADYBIT_EXTENSION_PORT
+ value: "8085"
+ - name: STEADYBIT_EXTENSION_HEALTH_PORT
+ value: "8081"
+ - name: STEADYBIT_LOG_LEVEL
+ value: INFO
+ - name: STEADYBIT_LOG_FORMAT
+ value: text
+ image: ghcr.io/steadybit/extension-host:v0.0.0
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 5
+ httpGet:
+ path: /health/liveness
+ port: 8081
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: steadybit-extension-host
+ ports:
+ - containerPort: 8085
+ name: http
+ - containerPort: 8081
+ name: health
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /health/readiness
+ port: 8081
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 200m
+ memory: 128Mi
+ requests:
+ cpu: 50m
+ memory: 32Mi
+ securityContext:
+ appArmorProfile:
+ type: Unconfined
+ capabilities:
+ add:
+ - SYS_ADMIN
+ - SYS_CHROOT
+ - SYS_RESOURCE
+ - SYS_BOOT
+ - NET_RAW
+ - SYS_TIME
+ - SYS_PTRACE
+ - KILL
+ - NET_ADMIN
+ - DAC_OVERRIDE
+ - SETUID
+ - SETGID
+ - AUDIT_WRITE
+ readOnlyRootFilesystem: true
+ runAsGroup: 10000
+ runAsNonRoot: true
+ runAsUser: 10000
+ seccompProfile:
+ type: Unconfined
+ volumeMounts:
+ - mountPath: /tmp
+ name: tmp-dir
+ - mountPath: /sys/fs/cgroup
+ name: cgroup-root
+ - mountPath: /run/steadybit/runc
+ name: runc-root
+ dnsPolicy: ClusterFirstWithHostNet
+ hostNetwork: true
+ hostPID: true
+ serviceAccountName: steadybit-extension-host
+ volumes:
+ - emptyDir: {}
+ name: tmp-dir
+ - hostPath:
+ path: /sys/fs/cgroup
+ type: Directory
+ name: cgroup-root
+ - emptyDir: {}
+ name: runc-root
+ updateStrategy:
+ rollingUpdate:
+ maxUnavailable: 1
+ type: RollingUpdate
 manifest should match snapshot with different containerPorts:
  1: |
  apiVersion: apps/v1

diff --git a/charts/steadybit-extension-host/tests/daemonset_test.yaml b/charts/steadybit-extension-host/tests/daemonset_test.yaml
@@ -2,10 +2,19 @@ templates:
  - daemonset.yaml
 chart:
  appVersion: v0.0.0
+capabilities:
+ majorVersion: 1
+ minorVersion: 29
 tests:
  - it: manifest should match snapshot without TLS
  asserts:
  - matchSnapshot: { }
+ - it: manifest should match snapshot with appArmorProfile for k8s >= 1.30
+ capabilities:
+ majorVersion: 1
+ minorVersion: 30
+ asserts:
+ - matchSnapshot: { }
  - it: manifest should match snapshot using podAnnotations, podLabels and resources
  set:
  podAnnotations: