Custom/User AppArmor profile fails to load with /sbin/apparmor_parser: permission denied error #2951
Description
What happened:
Custom/User AppArmor profile (test-profile) fails to load when applying on running (SPO) v0.9.0.
The following error is observed in the logs:
I0806 07:02:35.838040 1693064 apparmorprofile.go:109] "Reconciling AppArmorProfile" logger="apparmor-spod" apparmorprofile="test-profile" namespace="" E0806 07:02:35.839322 1693064 apparmorprofile.go:184] "cannot load profile into node" err="running action: load policy: parsing profile: fork/exec /sbin/apparmor_parser: permission denied"
What you expected to happen:
The Custom/User AppArmor profile test-profile.yaml should be successfully parsed and loaded by the operator without any errors.
How to reproduce it (as minimally and precisely as possible):
Ensure AppArmor is enabled on the host.
Deploy SPO v0.9.0 in a Kubernetes cluster.
Apply below user apparmorprofile:
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: AppArmorProfile
metadata:
name: test-profile
namespace: security-profiles-operator
annotations:
description: Deny all write access to key directories.
spec:
abstract:
filesystem:
readOnlyPaths:
- /etc/
- /bin/
- /lib/
- /usr/
Anything else we need to know?:
default profiles are getting parsed and loaded in the node.
Environment:
Cloud provider or hardware configuration: VM
OS (e.g: cat /etc/os-release): Debian
Kernel (e.g. uname -a): 6.12.0-1-amd64
SPO version: v0.9.0
Kubernetes version: v1.30.x
AppArmor status: enabled (aa-status confirms profiles loaded)