From d0d3973a13d7d8f76c0c4f5fcfc3ef95f50dbcac Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Thu, 9 Jul 2020 12:58:01 -0700 Subject: [PATCH] restrict apparmor security opt to docker --- pkg/drivers/kic/oci/oci.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/drivers/kic/oci/oci.go b/pkg/drivers/kic/oci/oci.go index 9ef0575f07ec..3ef6a94cfbc9 100644 --- a/pkg/drivers/kic/oci/oci.go +++ b/pkg/drivers/kic/oci/oci.go @@ -126,8 +126,6 @@ func CreateContainerNode(p CreateParams) error { // for now this is what we want. in the future we may revisit this. "--privileged", "--security-opt", "seccomp=unconfined", // ignore seccomp - // ignore apparmore github actions docker: https://github.com/kubernetes/minikube/issues/7624 - "--security-opt", "apparmor=unconfined", "--tmpfs", "/tmp", // various things depend on working /tmp "--tmpfs", "/run", // systemd wants a writable /run // logs,pods be stroed on filesystem vs inside container, @@ -150,6 +148,8 @@ func CreateContainerNode(p CreateParams) error { } if p.OCIBinary == Docker { runArgs = append(runArgs, "--volume", fmt.Sprintf("%s:/var", p.Name)) + // ignore apparmore github actions docker: https://github.com/kubernetes/minikube/issues/7624 + runArgs = append(runArgs, "--security-opt", "apparmor=unconfined") } runArgs = append(runArgs, fmt.Sprintf("--cpus=%s", p.CPUs))