Socket creation by MicroK8s in GitHub runners has stopped working #5394
Description
Summary
Pods in MicroK8s strict confinement on GitHub runners cannot create sockets. This prevents coredns, calico, metallb, and any other pod that needs network access from functioning.
Previously, Concierge supported setting up a MicroK8s cluster with essentially these commands:
snap install microk8s --channel 1.31-strict/stable
snap install kubectl --channel stable --classic
microk8s status --wait-ready --timeout 270
microk8s enable hostpath-storage
microk8s enable dns
microk8s enable metallb:10.64.140.43-10.64.140.49
...
At the metallb enable line, it now times out. This worked until 2-3 weeks ago.
It seems like what's happening is some sort of AppArmour issue (from a kernel update on the GitHub runners?) that's preventing the confined snaps from being able to open sockets.
What Should Happen Instead?
metallb and other networking functionality works.
Reproduction Steps
There's a [minimal reproducer in this GitHub action(https://github.com/tonyandrewmeyer/concierge/actions/runs/22128088011/job/63962307587?pr=8) (the other failing action is also an example, but does more of what Concierge normally does, with a lot of extra debugging info; there's also all the failures in canonical/concierge for the provider-microk8s spread test, that are reproducers with the normal Concierge behaviour).
Introspection Report
Can you suggest a fix?
Are you interested in contributing with a fix?
I would but would need guidance as to what that fix should be.