Skip to content

Deprecated AppArmor annotation field not yet removed #132952

New issue
New issue
Closed
Closed
Deprecated AppArmor annotation field not yet removed#132952
Labels
kind/bugCategorizes issue or PR as related to a bug.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.sig/nodeCategorizes an issue or PR as relevant to SIG Node.sig/securityCategorizes an issue or PR as relevant to SIG Security.
@esticansat

Description

@esticansat
esticansat
opened on Jul 15, 2025

What happened?

Starting on Kubernetes v1.30, the location where to specify AppArmor profiles changed. Prior to v1.30, it used to be located in an annotation, but after the upgrade, AppArmor profiles are now specified within the securityContext fields of the manifest, as the annotation field for AppArmor is now deprecated.

As part of another thing I'm working on, I went to check the PSS baseline policy docs as it collects the syntax of all the places where the AppArmor may appear within a given manifest. It currently points out that the AppArmor profile in the annotation is still a restricted field:

Image

This felt odd, as the annotation is deprecated, but when I went to check this on a Kubernetes 1.33 cluster, the annotation is still restricted by the PSS baseline with an error similar to the below:

Error from server (Forbidden): error when creating "test-apparmor-pod.yaml": pods "apparmor-unconfined-pod" is forbidden: violates PodSecurity "baseline:v1.33": forbidden AppArmor profiles (container "nginx" and annotation must not set AppArmor profile type to "Unconfined", "container.apparmor.security.beta.kubernetes.io/nginx="unconfined"")

The next step was to review the Kubernetes deprecation policy. The second bullet point of Rule #4a: API lifetime is determined by the API stability level reads as follows:

Beta API versions are deprecated no more than 9 months or 3 minor releases after introduction (whichever is longer), and are no longer served 9 months or 3 minor releases after deprecation (whichever is longer)

And I understand that the annotation is within the scope of the deprecation policy as per the initial section of the same document, which reads like the following:

The following rules govern the deprecation of elements of the API. This includes:

  • REST resources (aka API objects)
  • Fields of REST resources
  • Annotations on REST resources, including "beta" annotations but not including "alpha" annotations.
    [...]

Given that the deprecation was introduced in v1.30, I understand it should have been removed in v1.33. I looked for issues within this repository and the website one but could not find references to this topic.

The fact that the annotation field is still being checked introduces a level of confusion and a potential sense of false security.

What did you expect to happen?

The deprecated AppArmor annotation should be removed, as per the deprecation policy. Consequently, adding the AppArmor profile setting to the manifest on the annotation field should be ignored altogether since that functionality will not be there once the removal has finished. The accompanying documentation in the PSS page should also be updated to reflect this. In the meantime, if there's is some sort of tracking page it would also be helpful that it was added to the documentation, as to avoid more people getting confused by this.

How can we reproduce it (as minimally and precisely as possible)?

Use kind to deploy a local cluster on v1.33:

cat > kind-config.yaml <<EOF
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
  image: kindest/node:v1.33.1
- role: worker
  image: kindest/node:v1.33.1
- role: worker
  image: kindest/node:v1.33.1
EOF

kind create cluster --name pss-cluster --config kind-config.yaml

Deploy a test namespace with PSS baseline and a Pod with the AppArmor annotation:

cat > test-apparmor-pod.yaml <<EOF
apiVersion: v1
kind: Namespace
metadata:
  name: pss-namespace
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/enforce-version: v1.33
---
apiVersion: v1
kind: Pod
metadata:
  name: apparmor-unconfined-pod
  namespace: pss-namespace
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
spec:
  containers:
    - name: nginx
      image: nginx:latest
EOF

And the PSS policy is clearly picking it up:

$ k create -f test-apparmor-pod.yaml
namespace/pss-namespace created
Warning: metadata.annotations[container.apparmor.security.beta.kubernetes.io/nginx]: deprecated since v1.30; use the "appArmorProfile" field instead
Error from server (Forbidden): error when creating "test-apparmor-pod.yaml": pods "apparmor-unconfined-pod" is forbidden: violates PodSecurity "baseline:v1.33": forbidden AppArmor profiles (container "nginx" and annotation must not set AppArmor profile type to "Unconfined", "container.apparmor.security.beta.kubernetes.io/nginx="unconfined"")

Anything else we need to know?

For the instructions to reproduce I chose kind, but I could also replicate this on a v1.33.2 Kubernetes cluster deployed using KubeADM.

Kubernetes version

$ kubectl version
Client Version: v1.33.2
Kustomize Version: v5.6.0
Server Version: v1.33.1

Cloud provider

N/A

OS version

No response

Install tools

No response

Container runtime (CRI) and version (if applicable)

Related plugins (CNI, CSI, ...) and versions (if applicable)

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.sig/nodeCategorizes an issue or PR as relevant to SIG Node.sig/securityCategorizes an issue or PR as relevant to SIG Security.

    Type

    No type

    Projects

    SIG Node Bugs

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions