github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove check for apparmor_parser in AppArmor host validation

Browse Source 
The `apparmor_parser` binary is not really required for a system to run
AppArmor from a Kubernetes perspective. How to apply the profile is more
in the responsibility of lower level runtimes like CRI-O and containerd,
which may do the binary check on their own.

This synchronizes the current libcontainer implementation with the
vendored Kubernetes source code and allows distributions to use
AppArmor, even when they do not have the parser available in
`/sbin/apparmor_parser`.

Signed-off-by: Sascha Grunert <mail@saschagrunert.de>
This commit is contained in:
Sascha Grunert 2021-01-12 14:36:17 +01:00 committed by Sascha Grunert
parent 5404b5a28a
commit 0d22571519
No known key found for this signature in database
GPG Key ID: 09D97D153EF94D93
2 changed files with 5 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
pkg/security/apparmor/validate.go
View File

@ -20,11 +20,11 @@ import (
"bufio"
"errors"
"fmt"
"io/ioutil"
"os"
"path"
"strings"
"github.com/opencontainers/runc/libcontainer/apparmor"
v1 "k8s.io/api/core/v1"
utilfeature "k8s.io/apiserver/pkg/util/feature"
podutil "k8s.io/kubernetes/pkg/api/v1/pod"
@ -107,7 +107,7 @@ func validateHost(runtime string) error {
}
// Check kernel support.
if !IsAppArmorEnabled() {
if !apparmor.IsEnabled() {
return errors.New("AppArmor is not enabled on the host")
}
@ -212,17 +212,3 @@ func getAppArmorFS() (string, error) {
return "", errors.New("securityfs not found")
}
// IsAppArmorEnabled returns true if apparmor is enabled for the host.
// This function is forked from
// https://github.com/opencontainers/runc/blob/1a81e9ab1f138c091fe5c86d0883f87716088527/libcontainer/apparmor/apparmor.go
// to avoid the libapparmor dependency.
func IsAppArmorEnabled() bool {
if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {
if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {
buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
return err == nil && len(buf) > 1 && buf[0] == 'Y'
}
}
return false
}

6
test/e2e_node/apparmor_test.go
View File

@ -27,7 +27,8 @@ import (
"strconv"
"strings"
"k8s.io/api/core/v1"
"github.com/opencontainers/runc/libcontainer/apparmor"
v1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/fields"
@ -37,7 +38,6 @@ import (
"k8s.io/client-go/tools/cache"
watchtools "k8s.io/client-go/tools/watch"
"k8s.io/klog/v2"
"k8s.io/kubernetes/pkg/security/apparmor"
"k8s.io/kubernetes/test/e2e/framework"
e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
@ -246,5 +246,5 @@ func isAppArmorEnabled() bool {
if strings.Contains(framework.TestContext.NodeName, "-ubuntu-") {
return true
}
return apparmor.IsAppArmorEnabled()
return apparmor.IsEnabled()
}