Merge pull request #322 from miaoyq/fix-314

Update kubernetes version to the PR#52395 and support `unconfined` apparmor
2017-10-04 10:49:56 -07:00 · 2017-10-04 10:49:56 -07:00 · 23b8330b44
commit 23b8330b44
parent cfa7acf1f6 9f656cdda4
8 changed files with 28 additions and 6 deletions
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@ -786,7 +786,7 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
 	if !apparmorEnabled {
 		// Should fail loudly if user try to specify apparmor profile
 		// but we don't support it.
-		if apparmorProf != "" {
+		if apparmorProf != "" && apparmorProf != unconfinedProfile {
 			return nil, fmt.Errorf("apparmor is not supported")
 		}
 		return nil, nil
@ -795,7 +795,8 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
 	case runtimeDefault:
 		// TODO (mikebrow): delete created apparmor default profile
 		return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
-	// TODO(random-liu): Should support "unconfined" after kubernetes#52395 lands.
+	case unconfinedProfile:
+		return nil, nil
 	case "":
 		// Based on kubernetes#51746, default apparmor profile should be applied
 		// for non-privileged container when apparmor is not specified.
--- a/pkg/server/container_create_test.go
+++ b/pkg/server/container_create_test.go
@ -809,6 +809,17 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
 			profile:    "",
 			privileged: true,
 		},
+		"should not return error if apparmor is unconfined when apparmor is not supported": {
+			profile: unconfinedProfile,
+			disable: true,
+		},
+		"should not apparmor when apparmor is unconfined": {
+			profile: unconfinedProfile,
+		},
+		"should not apparmor when apparmor is unconfined and privileged is true": {
+			profile:    unconfinedProfile,
+			privileged: true,
+		},
 		"should set default apparmor when apparmor is runtime/default": {
 			profile:  runtimeDefault,
 			specOpts: apparmor.WithDefaultProfile(appArmorDefaultProfileName),
--- a/vendor.conf
+++ b/vendor.conf
@ -64,5 +64,5 @@ k8s.io/apimachinery 4fd33e5925599d66528ef4f1a5c80f4aa2e27c98
 k8s.io/apiserver c1e53d745d0fe45bf7d5d44697e6eface25fceca
 k8s.io/client-go 82aa063804cf055e16e8911250f888bc216e8b61
 k8s.io/kube-openapi abfc5fbe1cf87ee697db107fdfd24c32fe4397a8
-k8s.io/kubernetes v1.8.0
+k8s.io/kubernetes 5e96f7cae900f71389f3fa291aa307169a44a65a
 k8s.io/utils 4fe312863be2155a7b68acd2aff1c9221b24e68c
--- a/vendor/k8s.io/kubernetes/README.md
+++ b/vendor/k8s.io/kubernetes/README.md
@ -1,6 +1,6 @@
 # Kubernetes

-[![Submit Queue Widget]][Submit Queue] [![GoDoc Widget]][GoDoc]
+[![Submit Queue Widget]][Submit Queue] [![GoDoc Widget]][GoDoc] [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/569/badge)](https://bestpractices.coreinfrastructure.org/projects/569)

 <img src="https://github.com/kubernetes/kubernetes/raw/master/logo/logo.png" width="100">

--- a/vendor/k8s.io/kubernetes/pkg/api/types.go
+++ b/vendor/k8s.io/kubernetes/pkg/api/types.go
@ -2229,7 +2229,7 @@ type Taint struct {
 	// TimeAdded represents the time at which the taint was added.
 	// It is only written for NoExecute taints.
 	// +optional
-	TimeAdded metav1.Time
+	TimeAdded *metav1.Time
 }

 type TaintEffect string
--- a/vendor/k8s.io/kubernetes/pkg/api/zz_generated.deepcopy.go
+++ b/vendor/k8s.io/kubernetes/pkg/api/zz_generated.deepcopy.go
@ -5903,7 +5903,15 @@ func (in *TCPSocketAction) DeepCopy() *TCPSocketAction {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Taint) DeepCopyInto(out *Taint) {
 	*out = *in
-	in.TimeAdded.DeepCopyInto(&out.TimeAdded)
+	if in.TimeAdded != nil {
+		in, out := &in.TimeAdded, &out.TimeAdded
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.Time)
+			(*in).DeepCopyInto(*out)
+		}
+	}
 	return
 }

--- a/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go
@ -1397,6 +1397,7 @@ type LinuxContainerSecurityContext struct {
 	SupplementalGroups []int64 `protobuf:"varint,8,rep,packed,name=supplemental_groups,json=supplementalGroups" json:"supplemental_groups,omitempty"`
 	// AppArmor profile for the container, candidate values are:
 	// * runtime/default: equivalent to not specifying a profile.
+	// * unconfined: no profiles are loaded
 	// * localhost/<profile_name>: profile loaded on the node
 	//    (localhost) by name. The possible profile names are detailed at
 	//    http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
--- a/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.proto
+++ b/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.proto
@ -523,6 +523,7 @@ message LinuxContainerSecurityContext {
    repeated int64 supplemental_groups = 8;
    // AppArmor profile for the container, candidate values are:
    // * runtime/default: equivalent to not specifying a profile.
+    // * unconfined: no profiles are loaded
    // * localhost/<profile_name>: profile loaded on the node
    //    (localhost) by name. The possible profile names are detailed at
    //    http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference