Summary
After installing the observability addon in a microk8s strict snap installation, the node-exporter pod fails to start with the following error: spec: failed to generate spec: path "/" is mounted on "/" but it is not a shared or slave mount.
In dmesg I see messages like these: [2363332.633809] audit: type=1400 audit(1734209045.433:5684): apparmor="DENIED" operation="open" class="file" profile="snap.microk8s.microk8s" name="/usr/games/" pid=1643291 comm="kubectl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0. I find the path weird but it probably correlates to the root mount attempt.
What Should Happen Instead?
Either a root mount is allowed, or the container starts without it.
Reproduction Steps
- Install microk8s from the 1.31-strict/stable channel
- Enable the observability addon
Introspection Report
inspection-report-20241214_233524.tar.gz
Can you suggest a fix?
To be honest I'm glad the containment worked and no container can read the entire host filesystem.
In this issue in the prometheus repo, people have expressed concerns regarding the full root mount but nothing has been done.
Apart from fixing the issue upstream, I guess all that can be done is to disable this mount altogether and emit a warning that some metrics won't be available in strict confinement mode.
Speaking of the upstream, after removing the root mount from the DaemonSet spec, the only error I see is Failed to open directory, disabling udev device properties" path=/host/root/run/udev/data.
It would seem like we can just mount this one directory directly and everything should work fine.
Are you interested in contributing with a fix?
Yes, but I'd rather this be fixed in the node-exporter repo.
Summary
After installing the observability addon in a microk8s strict snap installation, the node-exporter pod fails to start with the following error:
spec: failed to generate spec: path "/" is mounted on "/" but it is not a shared or slave mount.In dmesg I see messages like these:
[2363332.633809] audit: type=1400 audit(1734209045.433:5684): apparmor="DENIED" operation="open" class="file" profile="snap.microk8s.microk8s" name="/usr/games/" pid=1643291 comm="kubectl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0. I find the path weird but it probably correlates to the root mount attempt.What Should Happen Instead?
Either a root mount is allowed, or the container starts without it.
Reproduction Steps
Introspection Report
inspection-report-20241214_233524.tar.gz
Can you suggest a fix?
To be honest I'm glad the containment worked and no container can read the entire host filesystem.
In this issue in the prometheus repo, people have expressed concerns regarding the full root mount but nothing has been done.
Apart from fixing the issue upstream, I guess all that can be done is to disable this mount altogether and emit a warning that some metrics won't be available in strict confinement mode.
Speaking of the upstream, after removing the root mount from the DaemonSet spec, the only error I see is
Failed to open directory, disabling udev device properties" path=/host/root/run/udev/data.It would seem like we can just mount this one directory directly and everything should work fine.
Are you interested in contributing with a fix?
Yes, but I'd rather this be fixed in the node-exporter repo.