Receiving issue for helm deployment of wiz-kubernetes-integration to ArgoCD

[romelBen]

Using wiz-kubernetes-integration-0.1.136, I am receiving this error in ArgoCD if our Kubernetes is version 1.30:

Failed to compare desired state to live state: failed to calculate diff: error calculating structured merge diff: error building typed value from live resource: .spec.template.spec.containers[name="wiz-sensor"].securityContext.appArmorProfile: field not declared in schema

I was checking to see if I can disable it in the helm charts but I'm not able. This is of course for wiz-sensor. The 2 sections of code would be the following:

daemonset.yaml

charts/wiz-sensor/templates/daemonset.yaml

Lines 28 to 33 in 373fa53

	{{- if semverCompare "<1.31" $kubeVersion }}
	container.apparmor.security.beta.kubernetes.io/wiz-sensor: unconfined
	{{- if .Values.diskScan.enabled }}
	container.apparmor.security.beta.kubernetes.io/wiz-disk-scanner: unconfined
	{{- end }}
	{{- end }}

charts/wiz-sensor/templates/daemonset.yaml

Lines 107 to 110 in 373fa53

	{{- if semverCompare ">=1.30" $kubeVersion }}
	appArmorProfile:
	type: Unconfined
	{{- end }}

If our nodes do not have appArmor disabled. Would this be considered an issue or is there something on our side where we need to disable appArmor?

[ariknem]

Yea it's a bit tricky there. The feature is in beta in 1.30 but is usually open: https://kubernetes.io/docs/tutorials/security/apparmor/

we have the legacy annotation on the pod to disable apparmor:
container.apparmor.security.beta.kubernetes.io/wiz-sensor: unconfined

so I think it should be fine.

you see some of the other kubernetes variant explicitly disallow the old annotation even in 1.30.. if you don't see a system health issue for the sensor in the wiz portal it means it's all fine.

[ariknem]

was this resolved?