Problem with disable apparmor for single container

Hello,
I’m trying deploy k8s cluster inside LXD. I’am following THIS guide. Everything works fine without apparmor. Unfortunenly apparmor block deploy with conjure-up. Here is my kernel logs:

Dec 18 17:52:56 kubernetes kernel: [416846.378583] audit: type=1400 audit(1608313976.703:5615): apparmor=“DENIED” operation=“bind” profile=“snap.kube-apiserver.kube-apiserver” pid=753885 comm=“kube-apiserver” family=“unix” sock_type=“dgram” protocol=0 requested_mask=“bind” denied_mask=“bind” addr=none
Dec 18 17:52:56 kubernetes kernel: [416846.521961] audit: type=1400 audit(1608313976.847:5616): apparmor=“DENIED” operation=“bind” profile=“snap.kube-apiserver.kube-apiserver” pid=753917 comm=“kube-apiserver” family=“unix” sock_type=“dgram” protocol=0 requested_mask=“bind” denied_mask=“bind” addr=none
Dec 18 17:52:57 kubernetes kernel: [416846.711501] audit: type=1400 audit(1608313977.039:5617): apparmor=“DENIED” operation=“bind” profile=“snap.kube-apiserver.kube-apiserver” pid=753958 comm=“kube-apiserver” family=“unix” sock_type=“dgram” protocol=0 requested_mask=“bind” denied_mask=“bind” addr=none

Here is my lxd container config:

architecture: x86_64
config:
  image.architecture: amd64
  image.description: ubuntu 18.04 LTS amd64 (release) (20201211.1)
  image.label: release
  image.os: ubuntu
  image.release: bionic
  image.serial: "20201211.1"
  image.type: squashfs
  image.version: "18.04"
  linux.kernel_modules: ip_vs,ip_vs_rr,ip_vs_wrr,ip_vs_sh,ip_tables,ip6_tables,netlink_diag,nf_nat,overlay,br_netfilter
  raw.lxc: |
    lxc.apparmor.profile=unconfined
    lxc.mount.auto=proc:rw sys:rw cgroup:rw
    lxc.cgroup.devices.allow=a
    lxc.cap.drop=
  security.nesting: "true"
  security.privileged: "true"
  volatile.base_image: 95c0e536d361eb5ac953ad343e0342c2f615e4aea714ca8a64126a228b809cae
  volatile.eth0.host_name: vethde486604
  volatile.eth0.hwaddr: 00:16:3e:fb:f9:0c
  volatile.idmap.base: "0"
  volatile.idmap.current: '[]'
  volatile.idmap.next: '[]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.uuid: 17a2cfef-d443-4626-a38a-68dd68de9bb0
devices:
  mem:
    path: /dev/mem
    type: unix-char
ephemeral: false
profiles:
- default

The entry lxc.apparmor.profile=unconfined does not seem to work. The workaround is to completely disable the apparmor, but it’s not a good solution for me because I have other containers running on this host. How can I disable apparmor for single container?
(Ps. sorry for my english :sweat: )

lxc.apparmor.profile=unconfined makes your container run without apparmor confinement, that doesn’t however mean that profiles cannot be loaded and used by it nor that existing apparmor profiles on the host cannot apply to it.

That’s why that option is so terrible, it effectively allows the host to mess with apparmor profiles on the host and any host apparmor profile to randomly apply to container processes.

Thx for your answer!
So how can I play with that? Is there any solution to deploy k8s in lxd?

You should stay away from the lxc.apparmor.profile=unconfined and instead use raw.apparmor to allow anything which gets blocked by the stock profile.