Skip to content

Commit

Permalink
feat: mount /sys/kernel/security into kubelet
Browse files Browse the repository at this point in the history
This allows the kubelet to detect AppArmor.

Signed-off-by: Andrew Rynhard <andrew@rynhard.io>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
  • Loading branch information
andrewrynhard authored and smira committed May 7, 2024
1 parent 817f181 commit 4aac5b4
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions internal/app/machined/pkg/system/services/kubelet.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ func (k *Kubelet) Runner(r runtime.Runtime) (runner.Runner, error) {
mounts := []specs.Mount{
{Type: "bind", Destination: "/dev", Source: "/dev", Options: []string{"rbind", "rshared", "rw"}},
{Type: "sysfs", Destination: "/sys", Source: "/sys", Options: []string{"bind", "ro"}},
{Type: "securityfs", Destination: "/sys/kernel/security", Source: "/sys/kernel/security", Options: []string{"bind", "ro"}},
{Type: "bind", Destination: constants.CgroupMountPath, Source: constants.CgroupMountPath, Options: []string{"rbind", "rshared", "rw"}},
{Type: "bind", Destination: "/lib/modules", Source: "/lib/modules", Options: []string{"bind", "ro"}},
{Type: "bind", Destination: "/etc/kubernetes", Source: "/etc/kubernetes", Options: []string{"bind", "rshared", "rw"}},
Expand Down

0 comments on commit 4aac5b4

Please sign in to comment.