fix: The 'AppArmor' feature gate is removed from kubernetes 1.33

Signed-off-by: Takuya Murakami <murakami_da@nec.com>
2025-12-13 21:34:40 +03:00 · 2025-05-13 19:24:57 +09:00
parent 871941f663
commit cee065920f
2 changed files with 1 additions and 13 deletions
--- a/docs/operations/hardening.md
+++ b/docs/operations/hardening.md
@@ -18,8 +18,6 @@ The **kubernetes** version should be at least `v1.23.6` to have all the most rec

 ## kube-apiserver
 authorization_modes: ['Node', 'RBAC']
-# AppArmor-based OS
-# kube_apiserver_feature_gates: ['AppArmor=true']
 kube_apiserver_request_timeout: 120s
 kube_apiserver_service_account_lookup: true

@@ -77,14 +75,10 @@ remove_anonymous_access: true
 ## kube-controller-manager
 kube_controller_manager_bind_address: 127.0.0.1
 kube_controller_terminated_pod_gc_threshold: 50
-# AppArmor-based OS
-# kube_controller_feature_gates: ["RotateKubeletServerCertificate=true", "AppArmor=true"]
 kube_controller_feature_gates: ["RotateKubeletServerCertificate=true"]

 ## kube-scheduler
 kube_scheduler_bind_address: 127.0.0.1
-# AppArmor-based OS
-# kube_scheduler_feature_gates: ["AppArmor=true"]

 ## etcd
 etcd_deployment_type: kubeadm
@@ -126,7 +120,6 @@ Let's take a deep look to the resultant **kubernetes** configuration:
 * The `encryption-provider-config` provide encryption at rest. This means that the `kube-apiserver` encrypt data that is going to be stored before they reach `etcd`. So the data is completely unreadable from `etcd` (in case an attacker is able to exploit this).
 * The `rotateCertificates` in `KubeletConfiguration` is set to `true` along with `serverTLSBootstrap`. This could be used in alternative to `tlsCertFile` and `tlsPrivateKeyFile` parameters. Additionally it automatically generates certificates by itself. By default the CSRs are approved automatically via [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver). You can customize approval configuration by modifying Helm values via `kubelet_csr_approver_values`.
  See <https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/> for more information on the subject.
-* If you are installing **kubernetes** in an AppArmor-based OS (eg. Debian/Ubuntu) you can enable the `AppArmor` feature gate uncommenting the lines with the comment `# AppArmor-based OS` on top.
 * The `kubelet_systemd_hardening`, both with `kubelet_secure_addresses` setup a minimal firewall on the system. To better understand how these variables work, here's an explanatory image:
  ![kubelet hardening](img/kubelet-hardening.png)

--- a/tests/files/ubuntu20-calico-all-in-one-hardening.yml
+++ b/tests/files/ubuntu20-calico-all-in-one-hardening.yml
@@ -13,8 +13,6 @@ enable_nodelocaldns: false
 # The followings are for hardening
 ## kube-apiserver
 authorization_modes: ['Node', 'RBAC']
-# AppArmor-based OS
-kube_apiserver_feature_gates: ['AppArmor=true']
 kube_apiserver_request_timeout: 120s
 kube_apiserver_service_account_lookup: true

@@ -65,13 +63,10 @@ kube_profiling: false
 ## kube-controller-manager
 kube_controller_manager_bind_address: 127.0.0.1
 kube_controller_terminated_pod_gc_threshold: 50
-# AppArmor-based OS
-kube_controller_feature_gates: ["RotateKubeletServerCertificate=true", "AppArmor=true"]
+kube_controller_feature_gates: ["RotateKubeletServerCertificate=true"]

 ## kube-scheduler
 kube_scheduler_bind_address: 127.0.0.1
-# AppArmor-based OS
-kube_scheduler_feature_gates: ["AppArmor=true"]

 ## etcd
 etcd_deployment_type: kubeadm