From 9f656cdda417b0acfc1a39480976f3b2b11ccaf5 Mon Sep 17 00:00:00 2001
From: Yanqiang Miao <miao.yanqiang@zte.com.cn>
Date: Tue, 3 Oct 2017 23:19:32 +0800
Subject: [PATCH] Support `unconfined` apparmor

Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
---
 pkg/server/container_create.go      |  5 +++--
 pkg/server/container_create_test.go | 11 +++++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go
index 5c7749bbe..0208cd625 100644
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@@ -784,7 +784,7 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
 	if !apparmorEnabled {
 		// Should fail loudly if user try to specify apparmor profile
 		// but we don't support it.
-		if apparmorProf != "" {
+		if apparmorProf != "" && apparmorProf != unconfinedProfile {
 			return nil, fmt.Errorf("apparmor is not supported")
 		}
 		return nil, nil
@@ -793,7 +793,8 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
 	case runtimeDefault:
 		// TODO (mikebrow): delete created apparmor default profile
 		return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
-	// TODO(random-liu): Should support "unconfined" after kubernetes#52395 lands.
+	case unconfinedProfile:
+		return nil, nil
 	case "":
 		// Based on kubernetes#51746, default apparmor profile should be applied
 		// for non-privileged container when apparmor is not specified.
diff --git a/pkg/server/container_create_test.go b/pkg/server/container_create_test.go
index 483b0e1a1..10584a633 100644
--- a/pkg/server/container_create_test.go
+++ b/pkg/server/container_create_test.go
@@ -805,6 +805,17 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
 			profile:    "",
 			privileged: true,
 		},
+		"should not return error if apparmor is unconfined when apparmor is not supported": {
+			profile: unconfinedProfile,
+			disable: true,
+		},
+		"should not apparmor when apparmor is unconfined": {
+			profile: unconfinedProfile,
+		},
+		"should not apparmor when apparmor is unconfined and privileged is true": {
+			profile:    unconfinedProfile,
+			privileged: true,
+		},
 		"should set default apparmor when apparmor is runtime/default": {
 			profile:  runtimeDefault,
 			specOpts: apparmor.WithDefaultProfile(appArmorDefaultProfileName),