Validate localhost profile max length
This commit is contained in:
Tim Allclair
@@ -10294,7 +10294,7 @@ func TestValidatePod(t *testing.T) {
|
||||
Name: "123",
|
||||
Namespace: "ns",
|
||||
Annotations: map[string]string{
|
||||
v1.AppArmorBetaContainerAnnotationKeyPrefix + "ctr": v1.AppArmorBetaProfileRuntimeDefault,
|
||||
v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "ctr": v1.DeprecatedAppArmorBetaProfileRuntimeDefault,
|
||||
},
|
||||
},
|
||||
Spec: validPodSpec(nil),
|
||||
@@ -10304,7 +10304,7 @@ func TestValidatePod(t *testing.T) {
|
||||
Name: "123",
|
||||
Namespace: "ns",
|
||||
Annotations: map[string]string{
|
||||
v1.AppArmorBetaContainerAnnotationKeyPrefix + "init-ctr": v1.AppArmorBetaProfileRuntimeDefault,
|
||||
v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "init-ctr": v1.DeprecatedAppArmorBetaProfileRuntimeDefault,
|
||||
},
|
||||
},
|
||||
Spec: core.PodSpec{
|
||||
@@ -10319,7 +10319,7 @@ func TestValidatePod(t *testing.T) {
|
||||
Name: "123",
|
||||
Namespace: "ns",
|
||||
Annotations: map[string]string{
|
||||
v1.AppArmorBetaContainerAnnotationKeyPrefix + "ctr": v1.AppArmorBetaProfileNamePrefix + "foo",
|
||||
v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "ctr": v1.DeprecatedAppArmorBetaProfileNamePrefix + "foo",
|
||||
},
|
||||
},
|
||||
Spec: validPodSpec(nil),
|
||||
@@ -11983,9 +11983,9 @@ func TestValidatePod(t *testing.T) {
|
||||
Name: "123",
|
||||
Namespace: "ns",
|
||||
Annotations: map[string]string{
|
||||
v1.AppArmorBetaContainerAnnotationKeyPrefix + "ctr": v1.AppArmorBetaProfileRuntimeDefault,
|
||||
v1.AppArmorBetaContainerAnnotationKeyPrefix + "init-ctr": v1.AppArmorBetaProfileRuntimeDefault,
|
||||
v1.AppArmorBetaContainerAnnotationKeyPrefix + "fake-ctr": v1.AppArmorBetaProfileRuntimeDefault,
|
||||
v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "ctr": v1.DeprecatedAppArmorBetaProfileRuntimeDefault,
|
||||
v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "init-ctr": v1.DeprecatedAppArmorBetaProfileRuntimeDefault,
|
||||
v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "fake-ctr": v1.DeprecatedAppArmorBetaProfileRuntimeDefault,
|
||||
},
|
||||
},
|
||||
Spec: core.PodSpec{
|
||||
@@ -12003,7 +12003,7 @@ func TestValidatePod(t *testing.T) {
|
||||
Name: "123",
|
||||
Namespace: "ns",
|
||||
Annotations: map[string]string{
|
||||
v1.AppArmorBetaContainerAnnotationKeyPrefix + "ctr": "bad-name",
|
||||
v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "ctr": "bad-name",
|
||||
},
|
||||
},
|
||||
Spec: validPodSpec(nil),
|
||||
@@ -12016,7 +12016,7 @@ func TestValidatePod(t *testing.T) {
|
||||
Name: "123",
|
||||
Namespace: "ns",
|
||||
Annotations: map[string]string{
|
||||
v1.AppArmorBetaContainerAnnotationKeyPrefix + "ctr": "runtime/foo",
|
||||
v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "ctr": "runtime/foo",
|
||||
},
|
||||
},
|
||||
Spec: validPodSpec(nil),
|
||||
@@ -12159,6 +12159,26 @@ func TestValidatePod(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
"too long AppArmor localhost profile": {
|
||||
expectedError: "Too long: may not be longer than 4095",
|
||||
spec: core.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "123",
|
||||
Namespace: "ns",
|
||||
},
|
||||
Spec: core.PodSpec{
|
||||
Containers: []core.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
|
||||
RestartPolicy: core.RestartPolicyAlways,
|
||||
DNSPolicy: core.DNSDefault,
|
||||
SecurityContext: &core.PodSecurityContext{
|
||||
AppArmorProfile: &core.AppArmorProfile{
|
||||
Type: core.AppArmorProfileTypeLocalhost,
|
||||
LocalhostProfile: ptr.To(strings.Repeat("a", 4096)),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"mismatched AppArmor field and annotation types": {
|
||||
expectedError: "Forbidden: apparmor type in annotation and field must match",
|
||||
spec: core.Pod{
|
||||
@@ -25186,11 +25206,11 @@ func TestValidateAppArmorProfileFormat(t *testing.T) {
|
||||
expectValid bool
|
||||
}{
|
||||
{"", true},
|
||||
{v1.AppArmorBetaProfileRuntimeDefault, true},
|
||||
{v1.AppArmorBetaProfileNameUnconfined, true},
|
||||
{v1.DeprecatedAppArmorBetaProfileRuntimeDefault, true},
|
||||
{v1.DeprecatedAppArmorBetaProfileNameUnconfined, true},
|
||||
{"baz", false}, // Missing local prefix.
|
||||
{v1.AppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true},
|
||||
{v1.AppArmorBetaProfileNamePrefix + "foo-bar", true},
|
||||
{v1.DeprecatedAppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true},
|
||||
{v1.DeprecatedAppArmorBetaProfileNamePrefix + "foo-bar", true},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
|
||||
Reference in New Issue
Block a user