fix(apparmor): allow sockets in cri-containerd profile #5457

Workflow file for this run

.github/workflows/build-snap.yml at cf9c38b

	name: Build and test MicroK8s snap

	on:
	pull_request:
	branches:
	- master

	jobs:
	build:
	name: Create snap package
	runs-on: ubuntu-latest

	steps:
	- name: Checking out repo
	uses: actions/checkout@v4
	- name: Install lxd
	run: \|
	sudo lxd init --auto
	sudo usermod --append --groups lxd $USER
	# `newgrp` does not work in GitHub Actions; use `sudo --user` instead
	# See https://github.com/actions/runner-images/issues/9932#issuecomment-2573170305
	sudo --user "$USER" --preserve-env --preserve-env=PATH -- env -- lxc version
	# Docker sets iptables rules that interfere with LXD or K8s.
	# https://documentation.ubuntu.com/lxd/en/latest/howto/network_bridge_firewalld/#prevent-connectivity-issues-with-lxd-and-docker
	- name: Apply Docker iptables workaround
	shell: bash
	run: sudo iptables -I DOCKER-USER -j ACCEPT
	- name: Install snapcraft
	run: \|
	sudo snap install snapcraft --classic
	- name: Install snapd from candidate
	run: \|
	# TODO(neoaggelos): revert this after latest/beta is working again
	sudo snap refresh snapd --channel=latest/stable
	- name: Build snap
	run: \|
	sudo --user "$USER" --preserve-env --preserve-env=PATH -- env -- snapcraft --use-lxd
	sudo mv microk8s*.snap microk8s.snap
	- name: Uploading snap
	uses: actions/upload-artifact@v4
	with:
	name: microk8s.snap
	path: microk8s.snap

	test-upgrade:
	name: Upgrade path test
	runs-on: ubuntu-latest
	needs: build
	timeout-minutes: 30
	steps:
	- name: Checking out repo
	uses: actions/checkout@v4
	- name: Prepare test prerequisites
	uses: ./.github/actions/test-prep
	- name: Running upgrade path test
	run: \|
	sudo -E UPGRADE_MICROK8S_FROM=latest/edge UPGRADE_MICROK8S_TO=$PWD/build/microk8s.snap pytest -s ./tests/test-upgrade-path.py

	test-addons-core:
	name: Test core addons
	runs-on: ubuntu-latest
	needs: build
	timeout-minutes: 60
	env:
	# Avoid truncated "ps" output
	COLUMNS: 2048
	steps:
	- name: Checking out repo
	uses: actions/checkout@v4
	- name: Prepare test prerequisites
	uses: ./.github/actions/test-prep
	- name: Running addons tests
	env:
	UNDER_TIME_PRESSURE: ${{ !contains(github.event.pull_request.labels.*.name, 'run-all-tests') }}
	run: \|
	set -x
	sudo snap install build/microk8s.snap --classic --dangerous
	./tests/smoke-test.sh
	# The GitHub runner is using the 10.1.0.0/16 CIDR, which would conflict with
	# kube-ovn's default POD_CIDR. They have to be different.
	export POD_CIDR="10.200.0.0/16"
	export POD_GATEWAY="10.200.0.1"
	export SKIP_PROMETHEUS="False"
	export UNDER_TIME_PRESSURE=${UNDER_TIME_PRESSURE@u}
	sudo -E bash -c "cd /var/snap/microk8s/common/addons/core/tests; pytest -s -ra test-addons.py"

	test-addons-community:
	name: Test community addons
	runs-on: ubuntu-latest
	needs: build
	timeout-minutes: 60
	steps:
	- name: Checking out repo
	uses: actions/checkout@v4
	- name: Prepare test prerequisites
	uses: ./.github/actions/test-prep
	- name: Running addons tests
	env:
	UNDER_TIME_PRESSURE: ${{ !contains(github.event.pull_request.labels.*.name, 'run-all-tests') }}
	run: \|
	set -x
	sudo snap install build/microk8s.snap --classic --dangerous
	sudo microk8s enable community
	export UNDER_TIME_PRESSURE=${UNDER_TIME_PRESSURE@u}
	sudo -E bash -c "cd /var/snap/microk8s/common/addons/community/; pytest -s -ra ./tests/"

	test-addons-core-upgrade:
	name: Test core addons upgrade
	runs-on: ubuntu-latest
	needs: build
	timeout-minutes: 30
	steps:
	- name: Checking out repo
	uses: actions/checkout@v4
	- name: Prepare test prerequisites
	uses: ./.github/actions/test-prep
	- name: Running upgrade tests
	env:
	UNDER_TIME_PRESSURE: ${{ !contains(github.event.pull_request.labels.*.name, 'run-all-tests') }}
	run: \|
	set -x
	export UNDER_TIME_PRESSURE=${UNDER_TIME_PRESSURE@u}
	sudo -E bash -c "UPGRADE_MICROK8S_FROM=latest/edge UPGRADE_MICROK8S_TO=$PWD/build/microk8s.snap pytest -s ./tests/test-upgrade.py"

	test-cluster-agent:
	name: Cluster agent health check
	runs-on: ubuntu-latest
	needs: build
	timeout-minutes: 30
	steps:
	- name: Checking out repo
	uses: actions/checkout@v4
	- name: Prepare test prerequisites
	uses: ./.github/actions/test-prep
	- name: Running cluster agent health check
	run: \|
	set -x
	sudo snap install build/microk8s.snap --classic --dangerous
	sudo -E bash -c "pytest -s ./tests/test-cluster-agent.py"

	test-airgap:
	name: Test airgap installation
	runs-on: ubuntu-latest
	needs: build
	timeout-minutes: 30
	steps:
	- name: Checking out repo
	uses: actions/checkout@v4
	- name: Prepare test prerequisites
	uses: ./.github/actions/test-prep
	- name: Initialize LXD
	run: \|
	sudo lxd init --auto
	sudo lxc network set lxdbr0 ipv6.address=none
	sudo usermod --append --groups lxd $USER
	# `newgrp` does not work in GitHub Actions; use `sudo --user` instead
	# See https://github.com/actions/runner-images/issues/9932#issuecomment-2573170305
	sudo --user "$USER" --preserve-env --preserve-env=PATH -- env -- lxc version
	- name: Run airgap tests
	run: \|
	sudo -E bash -x -c "./tests/libs/airgap.sh --distro ubuntu:22.04 --channel $PWD/build/microk8s.snap"

	security-scan:
	name: Security scan
	outputs:
	sarif_files: ${{ steps.get_sarif_files.outputs.sarif-files }}
	runs-on: ubuntu-latest
	needs: build
	timeout-minutes: 30
	steps:
	- name: Checking out repo
	uses: actions/checkout@v4
	- name: Fetch snap
	uses: actions/download-artifact@v4
	with:
	name: microk8s.snap
	path: build
	- name: Create sarifs directory
	run: \|
	mkdir -p sarifs
	- name: Install Trivy vulnerability scanner
	uses: aquasecurity/[email protected]
	- name: Run Trivy vulnerability scanner on codebase
	run: \|
	trivy fs . --format sarif --severity CRITICAL > sarifs/trivy-microk8s-repo-scan--results.sarif
	- name: Run Trivy vulnerability scanner on images
	run: \|
	for i in $(cat ./build-scripts/images.txt) ; do
	name=$(echo $i \| awk -F ':\|/' '{print $(NF-1)}')
	trivy image $i --format sarif > sarifs/$name.sarif
	done
	- name: Run Trivy vulnerability scanner on the snap
	run: \|
	cp build/microk8s.snap .
	unsquashfs microk8s.snap
	trivy rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif
	- name: Generate list of SARIF files
	id: get_sarif_files
	run: \|
	sarif_files=$(find sarifs -name "*.sarif" -printf "%P\n" \| jq -R -s -c 'split("\n") \| map(select(length > 0))')
	echo "sarif-files=$sarif_files" >> "$GITHUB_OUTPUT"
	- name: Upload SARIF files artifact
	uses: actions/upload-artifact@v4
	with:
	name: sarifs
	path: sarifs
	retention-days: 1

	upload_sarifs_matrix:
	needs: security-scan
	runs-on: ubuntu-latest
	strategy:
	fail-fast: true
	matrix:
	sarif_file_path: ${{ fromJson(needs.security-scan.outputs.sarif_files) }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	- name: Download SARIF files artifact
	uses: actions/download-artifact@v4
	with:
	name: sarifs
	path: sarifs
	- name: Prepare SARIF category
	id: prepare_category
	run: \|
	sarif_file="${{ matrix.sarif_file_path }}"
	base_name=$(basename "$sarif_file" .sarif)
	echo "category=$base_name" >> "$GITHUB_OUTPUT"
	- name: Upload SARIF file
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: sarifs/${{ matrix.sarif_file_path }}
	category: ${{ steps.prepare_category.outputs.category }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(apparmor): allow sockets in cri-containerd profile #5457

Workflow file

fix(apparmor): allow sockets in cri-containerd profile #5457

Uh oh!

Jobs

Run details

Workflow file for this run