Apparmor denial in version 1.28 running nginx

[sergiocazzolato]

We run this smoke microk8s test https://github.com/snapcore/snapd/blob/master/tests/main/microk8s-smoke/task.yaml as part out the snapd validation. When using the version 1.28 we see an apparmon denial which is not expected (not happening in version 1.25)

Reproduction Steps

snap install --channel=1.28-strict/edge microk8s
microk8s status --wait-ready
microk8s kubectl run nginx --image=nginx
microk8s kubectl expose pod/nginx --name nginx-np --type NodePort --target-port 80 --port 80
microk8s kubectl patch svc nginx-np --patch '{"spec":{"ports":rage:{"port":80,"nodePort":31313}]}}'
dmesg | grep DENIED

Then I see this apparmor denial
[ 185.043591] audit: type=1400 audit(1698061446.955:204): apparmor="DENIED" operation="capable" profile="snap.microk8s.daemon-cluster-agent" pid=7284 comm="sed" capability=4 capname="fsetid"

[bschimke95]

Hi Sergio,

Thanks for reporting this. I was able to reproduce this issue locally and will investigate this.
Does this cause any issues for the workload that you are running?

[sergiocazzolato]

Currently we are testing using 1.25 but the idea is to migrate to 1.28, until then the issue is not affecting out tests.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.