diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go
index 89f3ef3fc..25c1e53b5 100644
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@@ -786,7 +786,7 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
if !apparmorEnabled {
// Should fail loudly if user try to specify apparmor profile
// but we don't support it.
- if apparmorProf != "" {
+ if apparmorProf != "" && apparmorProf != unconfinedProfile {
return nil, fmt.Errorf("apparmor is not supported")
}
return nil, nil
@@ -795,7 +795,8 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
case runtimeDefault:
// TODO (mikebrow): delete created apparmor default profile
return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
- // TODO(random-liu): Should support "unconfined" after kubernetes#52395 lands.
+ case unconfinedProfile:
+ return nil, nil
case "":
// Based on kubernetes#51746, default apparmor profile should be applied
// for non-privileged container when apparmor is not specified.
diff --git a/pkg/server/container_create_test.go b/pkg/server/container_create_test.go
index b03235328..04f86d666 100644
--- a/pkg/server/container_create_test.go
+++ b/pkg/server/container_create_test.go
@@ -809,6 +809,17 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
profile: "",
privileged: true,
},
+ "should not return error if apparmor is unconfined when apparmor is not supported": {
+ profile: unconfinedProfile,
+ disable: true,
+ },
+ "should not apparmor when apparmor is unconfined": {
+ profile: unconfinedProfile,
+ },
+ "should not apparmor when apparmor is unconfined and privileged is true": {
+ profile: unconfinedProfile,
+ privileged: true,
+ },
"should set default apparmor when apparmor is runtime/default": {
profile: runtimeDefault,
specOpts: apparmor.WithDefaultProfile(appArmorDefaultProfileName),
diff --git a/vendor.conf b/vendor.conf
index d74444125..90119e974 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -64,5 +64,5 @@ k8s.io/apimachinery 4fd33e5925599d66528ef4f1a5c80f4aa2e27c98
k8s.io/apiserver c1e53d745d0fe45bf7d5d44697e6eface25fceca
k8s.io/client-go 82aa063804cf055e16e8911250f888bc216e8b61
k8s.io/kube-openapi abfc5fbe1cf87ee697db107fdfd24c32fe4397a8
-k8s.io/kubernetes v1.8.0
+k8s.io/kubernetes 5e96f7cae900f71389f3fa291aa307169a44a65a
k8s.io/utils 4fe312863be2155a7b68acd2aff1c9221b24e68c
diff --git a/vendor/k8s.io/kubernetes/README.md b/vendor/k8s.io/kubernetes/README.md
index a86767b3c..878400678 100644
--- a/vendor/k8s.io/kubernetes/README.md
+++ b/vendor/k8s.io/kubernetes/README.md
@@ -1,6 +1,6 @@
# Kubernetes
-[![Submit Queue Widget]][Submit Queue] [![GoDoc Widget]][GoDoc]
+[![Submit Queue Widget]][Submit Queue] [![GoDoc Widget]][GoDoc] [](https://bestpractices.coreinfrastructure.org/projects/569)
diff --git a/vendor/k8s.io/kubernetes/pkg/api/types.go b/vendor/k8s.io/kubernetes/pkg/api/types.go
index 92d45de61..13b82f979 100644
--- a/vendor/k8s.io/kubernetes/pkg/api/types.go
+++ b/vendor/k8s.io/kubernetes/pkg/api/types.go
@@ -2229,7 +2229,7 @@ type Taint struct {
// TimeAdded represents the time at which the taint was added.
// It is only written for NoExecute taints.
// +optional
- TimeAdded metav1.Time
+ TimeAdded *metav1.Time
}
type TaintEffect string
diff --git a/vendor/k8s.io/kubernetes/pkg/api/zz_generated.deepcopy.go b/vendor/k8s.io/kubernetes/pkg/api/zz_generated.deepcopy.go
index 938b7316a..4929278ed 100644
--- a/vendor/k8s.io/kubernetes/pkg/api/zz_generated.deepcopy.go
+++ b/vendor/k8s.io/kubernetes/pkg/api/zz_generated.deepcopy.go
@@ -5903,7 +5903,15 @@ func (in *TCPSocketAction) DeepCopy() *TCPSocketAction {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Taint) DeepCopyInto(out *Taint) {
*out = *in
- in.TimeAdded.DeepCopyInto(&out.TimeAdded)
+ if in.TimeAdded != nil {
+ in, out := &in.TimeAdded, &out.TimeAdded
+ if *in == nil {
+ *out = nil
+ } else {
+ *out = new(v1.Time)
+ (*in).DeepCopyInto(*out)
+ }
+ }
return
}
diff --git a/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go b/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go
index 4571e1f42..f260af18c 100644
--- a/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go
@@ -1397,6 +1397,7 @@ type LinuxContainerSecurityContext struct {
SupplementalGroups []int64 `protobuf:"varint,8,rep,packed,name=supplemental_groups,json=supplementalGroups" json:"supplemental_groups,omitempty"`
// AppArmor profile for the container, candidate values are:
// * runtime/default: equivalent to not specifying a profile.
+ // * unconfined: no profiles are loaded
// * localhost/: profile loaded on the node
// (localhost) by name. The possible profile names are detailed at
// http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
diff --git a/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.proto b/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.proto
index 3e9fccd0a..030c96934 100644
--- a/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.proto
+++ b/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.proto
@@ -523,6 +523,7 @@ message LinuxContainerSecurityContext {
repeated int64 supplemental_groups = 8;
// AppArmor profile for the container, candidate values are:
// * runtime/default: equivalent to not specifying a profile.
+ // * unconfined: no profiles are loaded
// * localhost/: profile loaded on the node
// (localhost) by name. The possible profile names are detailed at
// http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference