Support unconfined apparmor

Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
2017-10-03 23:19:32 +08:00 · 2017-10-03 23:19:32 +08:00 · 9f656cdda4
commit 9f656cdda4
parent a7471d79ab
2 changed files with 14 additions and 2 deletions
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@ -784,7 +784,7 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
 	if !apparmorEnabled {
 		// Should fail loudly if user try to specify apparmor profile
 		// but we don't support it.
-		if apparmorProf != "" {
+		if apparmorProf != "" && apparmorProf != unconfinedProfile {
 			return nil, fmt.Errorf("apparmor is not supported")
 		}
 		return nil, nil
@ -793,7 +793,8 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
 	case runtimeDefault:
 		// TODO (mikebrow): delete created apparmor default profile
 		return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
-	// TODO(random-liu): Should support "unconfined" after kubernetes#52395 lands.
+	case unconfinedProfile:
+		return nil, nil
 	case "":
 		// Based on kubernetes#51746, default apparmor profile should be applied
 		// for non-privileged container when apparmor is not specified.
--- a/pkg/server/container_create_test.go
+++ b/pkg/server/container_create_test.go
@ -805,6 +805,17 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
 			profile:    "",
 			privileged: true,
 		},
+		"should not return error if apparmor is unconfined when apparmor is not supported": {
+			profile: unconfinedProfile,
+			disable: true,
+		},
+		"should not apparmor when apparmor is unconfined": {
+			profile: unconfinedProfile,
+		},
+		"should not apparmor when apparmor is unconfined and privileged is true": {
+			profile:    unconfinedProfile,
+			privileged: true,
+		},
 		"should set default apparmor when apparmor is runtime/default": {
 			profile:  runtimeDefault,
 			specOpts: apparmor.WithDefaultProfile(appArmorDefaultProfileName),