Keep providing the deprecated AppArmor CRI API for runtimes that haven't migrated

2024-03-07 15:00:07 -08:00
parent cc6d9b3037
commit 04ac13b6b7
3 changed files with 32 additions and 17 deletions
--- a/pkg/kubelet/kuberuntime/helpers.go
+++ b/pkg/kubelet/kuberuntime/helpers.go
@@ -288,34 +288,44 @@ func (m *kubeGenericRuntimeManager) getSeccompProfile(annotations map[string]str
 	}, nil
 }

-func getAppArmorProfile(pod *v1.Pod, container *v1.Container) (*runtimeapi.SecurityProfile, error) {
+func getAppArmorProfile(pod *v1.Pod, container *v1.Container) (*runtimeapi.SecurityProfile, string, error) {
 	profile := apparmor.GetProfile(pod, container)
 	if profile == nil {
-		return nil, nil
+		return nil, "", nil
 	}

+	var (
+		securityProfile   *runtimeapi.SecurityProfile
+		deprecatedProfile string // Deprecated apparmor profile format, still provided for backwards compatibility with older runtimes.
+	)
+
 	switch profile.Type {
 	case v1.AppArmorProfileTypeRuntimeDefault:
-		return &runtimeapi.SecurityProfile{
+		securityProfile = &runtimeapi.SecurityProfile{
 			ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
-		}, nil
+		}
+		deprecatedProfile = v1.DeprecatedAppArmorBetaProfileRuntimeDefault

 	case v1.AppArmorProfileTypeUnconfined:
-		return &runtimeapi.SecurityProfile{
+		securityProfile = &runtimeapi.SecurityProfile{
 			ProfileType: runtimeapi.SecurityProfile_Unconfined,
-		}, nil
+		}
+		deprecatedProfile = v1.DeprecatedAppArmorBetaProfileNameUnconfined

 	case v1.AppArmorProfileTypeLocalhost:
 		if profile.LocalhostProfile == nil {
-			return nil, errors.New("missing localhost apparmor profile name")
+			return nil, "", errors.New("missing localhost apparmor profile name")
 		}
-		return &runtimeapi.SecurityProfile{
+		securityProfile = &runtimeapi.SecurityProfile{
 			ProfileType:  runtimeapi.SecurityProfile_Localhost,
 			LocalhostRef: *profile.LocalhostProfile,
-		}, nil
+		}
+		deprecatedProfile = v1.DeprecatedAppArmorBetaProfileNamePrefix + *profile.LocalhostProfile

 	default:
 		// Shouldn't happen.
-		return nil, fmt.Errorf("unknown apparmor profile type: %q", profile.Type)
+		return nil, "", fmt.Errorf("unknown apparmor profile type: %q", profile.Type)
 	}
+
+	return securityProfile, deprecatedProfile, nil
 }
--- a/pkg/kubelet/kuberuntime/helpers_test.go
+++ b/pkg/kubelet/kuberuntime/helpers_test.go
@@ -370,6 +370,7 @@ func TestGetAppArmorProfile(t *testing.T) {
 		name               string
 		podProfile         *v1.AppArmorProfile
 		expectedProfile    *runtimeapi.SecurityProfile
+		expectedOldProfile string
 		expectError        bool
 	}{{
 		name:            "no appArmor",
@@ -380,12 +381,14 @@ func TestGetAppArmorProfile(t *testing.T) {
 		expectedProfile: &runtimeapi.SecurityProfile{
 			ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
 		},
+		expectedOldProfile: "runtime/default",
 	}, {
 		name:       "unconfined",
 		podProfile: &v1.AppArmorProfile{Type: v1.AppArmorProfileTypeUnconfined},
 		expectedProfile: &runtimeapi.SecurityProfile{
 			ProfileType: runtimeapi.SecurityProfile_Unconfined,
 		},
+		expectedOldProfile: "unconfined",
 	}, {
 		name: "localhost",
 		podProfile: &v1.AppArmorProfile{
@@ -396,6 +399,7 @@ func TestGetAppArmorProfile(t *testing.T) {
 			ProfileType:  runtimeapi.SecurityProfile_Localhost,
 			LocalhostRef: "test",
 		},
+		expectedOldProfile: "localhost/test",
 	}, {
 		name: "invalid localhost",
 		podProfile: &v1.AppArmorProfile{
@@ -424,7 +428,7 @@ func TestGetAppArmorProfile(t *testing.T) {
 				},
 			}

-			actual, err := getAppArmorProfile(&pod, &pod.Spec.Containers[0])
+			actual, actualOld, err := getAppArmorProfile(&pod, &pod.Spec.Containers[0])

 			if test.expectError {
 				assert.Error(t, err)
@@ -432,7 +436,8 @@ func TestGetAppArmorProfile(t *testing.T) {
 				assert.NoError(t, err)
 			}

-			assert.Equal(t, test.expectedProfile, actual)
+			assert.Equal(t, test.expectedProfile, actual, "AppArmor profile")
+			assert.Equal(t, test.expectedOldProfile, actualOld, "old (deprecated) profile string")
 		})
 	}
 }
--- a/pkg/kubelet/kuberuntime/security_context.go
+++ b/pkg/kubelet/kuberuntime/security_context.go
@@ -41,7 +41,7 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
 	}

 	// set ApparmorProfile.
-	synthesized.Apparmor, err = getAppArmorProfile(pod, container)
+	synthesized.Apparmor, synthesized.ApparmorProfile, err = getAppArmorProfile(pod, container)
 	if err != nil {
 		return nil, err
 	}