From cee065920f2a031f91122dd15a3c4b4a65260d54 Mon Sep 17 00:00:00 2001
From: Takuya Murakami <murakami_da@nec.com>
Date: Tue, 13 May 2025 19:24:57 +0900
Subject: [PATCH] fix: The 'AppArmor' feature gate is removed from kubernetes
 1.33

Signed-off-by: Takuya Murakami <murakami_da@nec.com>
---
 docs/operations/hardening.md                         | 7 -------
 tests/files/ubuntu20-calico-all-in-one-hardening.yml | 7 +------
 2 files changed, 1 insertion(+), 13 deletions(-)

diff --git a/docs/operations/hardening.md b/docs/operations/hardening.md
index 2cf54850b..3aba0dc37 100644
--- a/docs/operations/hardening.md
+++ b/docs/operations/hardening.md
@@ -18,8 +18,6 @@ The **kubernetes** version should be at least `v1.23.6` to have all the most rec
 
 ## kube-apiserver
 authorization_modes: ['Node', 'RBAC']
-# AppArmor-based OS
-# kube_apiserver_feature_gates: ['AppArmor=true']
 kube_apiserver_request_timeout: 120s
 kube_apiserver_service_account_lookup: true
 
@@ -77,14 +75,10 @@ remove_anonymous_access: true
 ## kube-controller-manager
 kube_controller_manager_bind_address: 127.0.0.1
 kube_controller_terminated_pod_gc_threshold: 50
-# AppArmor-based OS
-# kube_controller_feature_gates: ["RotateKubeletServerCertificate=true", "AppArmor=true"]
 kube_controller_feature_gates: ["RotateKubeletServerCertificate=true"]
 
 ## kube-scheduler
 kube_scheduler_bind_address: 127.0.0.1
-# AppArmor-based OS
-# kube_scheduler_feature_gates: ["AppArmor=true"]
 
 ## etcd
 etcd_deployment_type: kubeadm
@@ -126,7 +120,6 @@ Let's take a deep look to the resultant **kubernetes** configuration:
 * The `encryption-provider-config` provide encryption at rest. This means that the `kube-apiserver` encrypt data that is going to be stored before they reach `etcd`. So the data is completely unreadable from `etcd` (in case an attacker is able to exploit this).
 * The `rotateCertificates` in `KubeletConfiguration` is set to `true` along with `serverTLSBootstrap`. This could be used in alternative to `tlsCertFile` and `tlsPrivateKeyFile` parameters. Additionally it automatically generates certificates by itself. By default the CSRs are approved automatically via [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver). You can customize approval configuration by modifying Helm values via `kubelet_csr_approver_values`.
   See <https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/> for more information on the subject.
-* If you are installing **kubernetes** in an AppArmor-based OS (eg. Debian/Ubuntu) you can enable the `AppArmor` feature gate uncommenting the lines with the comment `# AppArmor-based OS` on top.
 * The `kubelet_systemd_hardening`, both with `kubelet_secure_addresses` setup a minimal firewall on the system. To better understand how these variables work, here's an explanatory image:
   ![kubelet hardening](img/kubelet-hardening.png)
 
diff --git a/tests/files/ubuntu20-calico-all-in-one-hardening.yml b/tests/files/ubuntu20-calico-all-in-one-hardening.yml
index 5dafe23bf..b684c1f25 100644
--- a/tests/files/ubuntu20-calico-all-in-one-hardening.yml
+++ b/tests/files/ubuntu20-calico-all-in-one-hardening.yml
@@ -13,8 +13,6 @@ enable_nodelocaldns: false
 # The followings are for hardening
 ## kube-apiserver
 authorization_modes: ['Node', 'RBAC']
-# AppArmor-based OS
-kube_apiserver_feature_gates: ['AppArmor=true']
 kube_apiserver_request_timeout: 120s
 kube_apiserver_service_account_lookup: true
 
@@ -65,13 +63,10 @@ kube_profiling: false
 ## kube-controller-manager
 kube_controller_manager_bind_address: 127.0.0.1
 kube_controller_terminated_pod_gc_threshold: 50
-# AppArmor-based OS
-kube_controller_feature_gates: ["RotateKubeletServerCertificate=true", "AppArmor=true"]
+kube_controller_feature_gates: ["RotateKubeletServerCertificate=true"]
 
 ## kube-scheduler
 kube_scheduler_bind_address: 127.0.0.1
-# AppArmor-based OS
-kube_scheduler_feature_gates: ["AppArmor=true"]
 
 ## etcd
 etcd_deployment_type: kubeadm