Classic Confinement Request for upgrade-cdk

canonikamal · April 22, 2026, 8:56am

Request for classic confinement for snap “upgrade-cdk”

name: upgrade-cdk
description: upgrade-cdk automates the CDK (Charmed Distribution of Kubernetes) upgrade workflow using the Jubilant library.
snapcraft: https://github.com/canonical/upgrade-cdk/blob/main/snap/snapcraft.yaml
upstream: https://github.com/canonical/upgrade-cdk (Private to Canonical)
upstream-relation: I am the upstream author and maintainer
supported-category: Juju helpers
reasoning: Why classic is needed: upgrade-cdk requires unrestricted filesystem access to below paths:
- Juju credentials at ~/.local/share/juju (written by the juju snap)
- Kubernetes config at ~/.kube/config or $KUBECONFIG
- SSH keys used for “juju scp” opetaions
- The juju snap binary
These paths are outside the snap’s home directory and cannot be accessed under strict confinement.

X I understand that strict confinement is generally preferred over classic.

X I’ve tried the existing interfaces to make the snap to work under strict confinement.

store-requests-bot · April 22, 2026, 9:00am

This request has been added to the queue for review by the @reviewers team.

ogra · April 22, 2026, 1:07pm

Should that not rather be the “Juju helpers” category ?

canonikamal · April 23, 2026, 5:02am

Was not very clear what juju helpers mean here so chose that option. If I now look at it from your perspective I would agree. Updated the category in the description. Thanks

jslarraz · April 30, 2026, 3:08pm

Hey @canonikamal

Given the reasoning provided, I think there are alternatives to make it work under strict confinement.

Juju credentials at ~/.local/share/juju (written by the juju snap)

Kubernetes config at ~/.kube/config or $KUBECONFIG

personal-files can be used for this

SSH keys used for “juju scp” opetaions

ssh-keys interface can be used here

The juju snap binary

The juju-bin content slot exposed by the juju snap can be used for this