[v1.34] Setting kubernetes-version: {1.27.13, 1.28.9, 1.29.4} and --cni cilium fails: spec.template.spec.securityContext.appArmorProfile

[msune]

What Happened?

Hey team,

I am unable to launch minikube with --cni cilium and K8s versions {1.27.13, 1.28.9, 1.29.4} in v1.34. It works correctly when not fixing kubernetes_version.

Same command works fine in v1.33.1 (see below), so likely a regression.

Thanks
marc

Attach the log file

(Fresh install: rm -rf ~/.minikube)

v1.34.0

Logs: logs.txt
Output: output.log

v1.33.1

$ minikube start --cni cilium --cpus max --kubernetes-version v1.28.9 --memory 12G --wait all
😄  minikube v1.33.1 on Debian 12.6
✨  Automatically selected the docker driver
📌  Using Docker driver with root privileges
👍  Starting "minikube" primary control-plane node in "minikube" cluster
🚜  Pulling base image v0.0.44 ...
🎉  minikube 1.34.0 is available! Download it: https://github.com/kubernetes/minikube/releases/tag/v1.34.0
💡  To disable this notice, run: 'minikube config set WantUpdateNotification false'

💾  Downloading Kubernetes v1.28.9 preload ...
    > preloaded-images-k8s-v18-v1...:  345.39 MiB / 345.39 MiB  100.00% 34.62 M
🔥  Creating docker container (CPUs=8, Memory=12288MB) ...
🐳  Preparing Kubernetes v1.28.9 on Docker 26.1.1 ...
    ▪ Generating certificates and keys ...
    ▪ Booting up control plane ...
    ▪ Configuring RBAC rules ...
🔗  Configuring Cilium (Container Networking Interface) ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass

❗  /usr/local/bin/kubectl is version 1.31.0, which may have incompatibilities with Kubernetes 1.28.9.
    ▪ Want kubectl v1.28.9? Try 'minikube kubectl -- get pods -A'
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

Operating System

Other

Driver

Docker

[spowelljr]

Hi @msune, thanks for the issue, the problem seems to be that the appArmorProfile field was added to SecurityContext v1 in Kubernetes v1.30, therefore older Kubernetes versions are failing to start on it.

I can see the field getting added when we updated Cilium to v1.16.0: #19337

Deleting the appArmorProfile fields resolves the issue on Kubernetes v1.27 and above, it seems we should make a template out of the YAML and if the Kubernetes version is less than Kubernetes v1.30 we remove appArmorProfile.