chore: add test for apparmor

Add a test that verifies pods can be scheduled with `RuntimeDefault`
apparmor profile.

Signed-off-by: Noel Georgi <git@frezbo.dev>

.github/workflows/ci.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2024-07-23T13:11:57Z by kres faf91e3.
+# Generated on 2024-07-30T14:54:22Z by kres faf91e3.
 
 name: default
 concurrency:
@@ -1890,22 +1890,6 @@ jobs:
           VIA_MAINTENANCE_MODE: "true"
         run: |
           sudo -E make e2e-qemu
-      - name: e2e-siderolink
-        env:
-          IMAGE_REGISTRY: registry.dev.siderolabs.io
-          SHORT_INTEGRATION_TEST: "yes"
-          VIA_MAINTENANCE_MODE: "true"
-          WITH_SIDEROLINK_AGENT: "true"
-        run: |
-          sudo -E make e2e-qemu
-      - name: e2e-siderolink-tunnel
-        env:
-          IMAGE_REGISTRY: registry.dev.siderolabs.io
-          SHORT_INTEGRATION_TEST: "yes"
-          VIA_MAINTENANCE_MODE: "true"
-          WITH_SIDEROLINK_AGENT: tunnel
-        run: |
-          sudo -E make e2e-qemu
       - name: save artifacts
         if: always()
         uses: actions/upload-artifact@v4
@@ -2205,6 +2189,13 @@ jobs:
           WITH_SIDEROLINK_AGENT: tunnel
         run: |
           sudo -E make e2e-qemu
+      - name: e2e-apparmor
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_APPARMOR_LSM_ENABLED: "yes"
+        run: |
+          sudo -E make e2e-qemu
       - name: save artifacts
         if: always()
         uses: actions/upload-artifact@v4

.github/workflows/integration-misc-1-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2024-05-27T16:20:10Z by kres bcb280a.
+# Generated on 2024-07-30T14:54:22Z by kres faf91e3.
 
 name: integration-misc-1-cron
 concurrency:
@@ -97,22 +97,6 @@ jobs:
           VIA_MAINTENANCE_MODE: "true"
         run: |
           sudo -E make e2e-qemu
-      - name: e2e-siderolink
-        env:
-          IMAGE_REGISTRY: registry.dev.siderolabs.io
-          SHORT_INTEGRATION_TEST: "yes"
-          VIA_MAINTENANCE_MODE: "true"
-          WITH_SIDEROLINK_AGENT: "true"
-        run: |
-          sudo -E make e2e-qemu
-      - name: e2e-siderolink-tunnel
-        env:
-          IMAGE_REGISTRY: registry.dev.siderolabs.io
-          SHORT_INTEGRATION_TEST: "yes"
-          VIA_MAINTENANCE_MODE: "true"
-          WITH_SIDEROLINK_AGENT: tunnel
-        run: |
-          sudo -E make e2e-qemu
       - name: save artifacts
         if: always()
         uses: actions/upload-artifact@v4

.github/workflows/integration-misc-4-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2024-05-27T16:20:10Z by kres bcb280a.
+# Generated on 2024-07-30T14:54:22Z by kres faf91e3.
 
 name: integration-misc-4-cron
 concurrency:
@@ -90,6 +90,13 @@ jobs:
           WITH_SIDEROLINK_AGENT: tunnel
         run: |
           sudo -E make e2e-qemu
+      - name: e2e-apparmor
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_APPARMOR_LSM_ENABLED: "yes"
+        run: |
+          sudo -E make e2e-qemu
       - name: save artifacts
         if: always()
         uses: actions/upload-artifact@v4

.kres.yaml

@@ -742,22 +742,6 @@ spec:
             VIA_MAINTENANCE_MODE: true
             DISABLE_DHCP_HOSTNAME: true
             IMAGE_REGISTRY: registry.dev.siderolabs.io
-        - name: e2e-siderolink
-          command: e2e-qemu
-          withSudo: true
-          environment:
-            SHORT_INTEGRATION_TEST: yes
-            WITH_SIDEROLINK_AGENT: true
-            VIA_MAINTENANCE_MODE: true
-            IMAGE_REGISTRY: registry.dev.siderolabs.io
-        - name: e2e-siderolink-tunnel
-          command: e2e-qemu
-          withSudo: true
-          environment:
-            SHORT_INTEGRATION_TEST: yes
-            WITH_SIDEROLINK_AGENT: tunnel
-            VIA_MAINTENANCE_MODE: true
-            IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: save-talos-logs
           conditions:
             - always
@@ -935,6 +919,13 @@ spec:
             WITH_SIDEROLINK_AGENT: tunnel
             VIA_MAINTENANCE_MODE: true
             IMAGE_REGISTRY: registry.dev.siderolabs.io
+        - name: e2e-apparmor
+          command: e2e-qemu
+          withSudo: true
+          environment:
+            SHORT_INTEGRATION_TEST: yes
+            WITH_APPARMOR_LSM_ENABLED: yes
+            IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: save-talos-logs
           conditions:
             - always

hack/test/e2e-qemu.sh

@@ -161,6 +161,21 @@ case "${WITH_SIDEROLINK_AGENT:-false}" in
     ;;
 esac
 
+case "${WITH_APPARMOR_LSM_ENABLED:-false}" in
+  false)
+    ;;
+  *)
+    cat <<EOF > "${TMP}/kernel-security.patch"
+machine:
+  install:
+    extraKernelArgs:
+      - security=apparmor
+EOF
+
+    QEMU_FLAGS+=("--config-patch=@${TMP}/kernel-security.patch")
+    ;;
+esac
+
 function create_cluster {
   build_registry_mirrors
 

internal/integration/base/k8s.go

@@ -391,6 +391,10 @@ func (k8sSuite *K8sSuite) ApplyManifests(ctx context.Context, manifests []unstru
 			k8sSuite.Require().NoError(err, "error creating mapping for object %s", obj.GetName())
 		}
 
+		if obj.GetNamespace() == "" {
+			k8sSuite.T().Fatalf("namespace not set for object %s, kind %s", obj.GetName(), obj.GetObjectKind().GroupVersionKind())
+		}
+
 		dr := k8sSuite.DynamicClient.Resource(mapping.Resource).Namespace(obj.GetNamespace())
 
 		_, err = dr.Create(ctx, &obj, metav1.CreateOptions{})

internal/integration/k8s/apparmor.go

@@ -0,0 +1,74 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+//go:build integration_k8s
+
+package k8s
+
+import (
+	"bytes"
+	"context"
+	_ "embed"
+	"strings"
+	"time"
+
+	"github.com/siderolabs/talos/internal/integration/base"
+)
+
+// ApparmorSuite verifies that a pod with apparmor security context with `RuntimeDefault` works.
+type ApparmorSuite struct {
+	base.K8sSuite
+}
+
+//go:embed testdata/apparmor.yaml
+var apparmorPodSpec []byte
+
+// SuiteName returns the name of the suite.
+func (suite *ApparmorSuite) SuiteName() string {
+	return "k8s.ApparmorSuite"
+}
+
+// TestApparmor verifies that a pod with apparmor security context with `RuntimeDefault` works.
+func (suite *ApparmorSuite) TestApparmor() {
+	if suite.Cluster == nil {
+		suite.T().Skip("without full cluster state reaching out to the node IP is not reliable")
+	}
+
+	if suite.Cluster.Provisioner() != "qemu" {
+		suite.T().Skip("skipping apparmor test since provisioner is not qemu")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Minute)
+	suite.T().Cleanup(cancel)
+
+	reader, err := suite.Client.Read(ctx, "/sys/kernel/security/lsm")
+	suite.Require().NoError(err)
+
+	// read from reader into a buffer
+	var lsm bytes.Buffer
+
+	_, err = lsm.ReadFrom(reader)
+	suite.Require().NoError(err)
+
+	if !strings.Contains(lsm.String(), "apparmor") {
+		suite.T().Skip("skipping apparmor test since apparmor is not enabled")
+	}
+
+	apparmorPodManifest := suite.ParseManifests(apparmorPodSpec)
+
+	suite.T().Cleanup(func() {
+		cleanUpCtx, cleanupCancel := context.WithTimeout(context.Background(), time.Minute)
+		defer cleanupCancel()
+
+		suite.DeleteManifests(cleanUpCtx, apparmorPodManifest)
+	})
+
+	suite.ApplyManifests(ctx, apparmorPodManifest)
+
+	suite.Require().NoError(suite.WaitForPodToBeRunning(ctx, time.Minute, "default", "nginx-apparmor"))
+}
+
+func init() {
+	allSuites = append(allSuites, new(ApparmorSuite))
+}

internal/integration/k8s/testdata/apparmor.yaml

@@ -0,0 +1,18 @@
+
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    run: nginx-apparmor
+  name: nginx-apparmor
+  namespace: default
+spec:
+  containers:
+  - image: nginx
+    name: nginx-apparmor
+    resources: {}
+  dnsPolicy: ClusterFirst
+  securityContext:
+    appArmorProfile:
+      type: RuntimeDefault
+  restartPolicy: Always