Rename AppArmor annotation constants with Deprecated

pkg/api/pod/util.go

@@ -541,7 +541,7 @@ func dropDisabledFields(
 
 	if !utilfeature.DefaultFeatureGate.Enabled(features.AppArmor) && !appArmorInUse(oldPodAnnotations, oldPodSpec) {
 		for k := range podAnnotations {
-			if strings.HasPrefix(k, api.AppArmorContainerAnnotationKeyPrefix) {
+			if strings.HasPrefix(k, api.DeprecatedAppArmorAnnotationKeyPrefix) {
 				delete(podAnnotations, k)
 			}
 		}
@@ -954,7 +954,7 @@ func appArmorInUse(podAnnotations map[string]string, podSpec *api.PodSpec) bool
 	}
 
 	for k := range podAnnotations {
-		if strings.HasPrefix(k, api.AppArmorContainerAnnotationKeyPrefix) {
+		if strings.HasPrefix(k, api.DeprecatedAppArmorAnnotationKeyPrefix) {
 			return true
 		}
 	}

pkg/api/pod/util_test.go

@@ -714,7 +714,7 @@ func TestDropAppArmor(t *testing.T) {
 		description: "with AppArmor Annotations",
 		hasAppArmor: true,
 		pod: api.Pod{
-			ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{"a": "1", v1.AppArmorBetaContainerAnnotationKeyPrefix + "foo": "default"}},
+			ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{"a": "1", v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "foo": "default"}},
 			Spec:       api.PodSpec{},
 		},
 	}, {

pkg/apis/core/annotation_key_constants.go

@@ -52,18 +52,18 @@ const (
 	// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
 	DeprecatedSeccompProfileDockerDefault string = "docker/default"
 
-	// AppArmorContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile.
+	// DeprecatedAppArmorAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile.
 	// Deprecated: use a pod or container security context `appArmorProfile` field instead.
-	AppArmorContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
+	DeprecatedAppArmorAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
 
-	// AppArmorProfileRuntimeDefault is the profile specifying the runtime default.
+	// DeprecatedAppArmorAnnotationValueRuntimeDefault is the profile specifying the runtime default.
-	AppArmorProfileRuntimeDefault = "runtime/default"
+	DeprecatedAppArmorAnnotationValueRuntimeDefault = "runtime/default"
 
-	// AppArmorProfileLocalhostPrefix is the prefix for specifying profiles loaded on the node.
+	// DeprecatedAppArmorAnnotationValueLocalhostPrefix is the prefix for specifying profiles loaded on the node.
-	AppArmorProfileLocalhostPrefix = "localhost/"
+	DeprecatedAppArmorAnnotationValueLocalhostPrefix = "localhost/"
 
-	// AppArmorProfileNameUnconfined is the Unconfined AppArmor profile
+	// DeprecatedAppArmorAnnotationValueUnconfined is the Unconfined AppArmor profile
-	AppArmorProfileNameUnconfined = "unconfined"
+	DeprecatedAppArmorAnnotationValueUnconfined = "unconfined"
 
 	// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
 	// in the Annotations of a Node.

pkg/apis/core/validation/validation.go

@@ -204,7 +204,7 @@ func ValidatePodSpecificAnnotationUpdates(newPod, oldPod *core.Pod, fldPath *fie
 		if newVal, exists := newAnnotations[k]; exists && newVal == oldVal {
 			continue // No change.
 		}
-		if strings.HasPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix) {
+		if strings.HasPrefix(k, v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) {
 			allErrs = append(allErrs, field.Forbidden(fldPath.Key(k), "may not remove or update AppArmor annotations"))
 		}
 		if k == core.MirrorPodAnnotationKey {
@@ -216,7 +216,7 @@ func ValidatePodSpecificAnnotationUpdates(newPod, oldPod *core.Pod, fldPath *fie
 		if _, ok := oldAnnotations[k]; ok {
 			continue // No change.
 		}
-		if strings.HasPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix) {
+		if strings.HasPrefix(k, v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) {
 			allErrs = append(allErrs, field.Forbidden(fldPath.Key(k), "may not add AppArmor annotations"))
 		}
 		if k == core.MirrorPodAnnotationKey {
@@ -4703,10 +4703,10 @@ func validateAppArmorProfileField(profile *core.AppArmorProfile, fldPath *field.
 func ValidateAppArmorPodAnnotations(annotations map[string]string, spec *core.PodSpec, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 	for k, p := range annotations {
-		if !strings.HasPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix) {
+		if !strings.HasPrefix(k, v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) {
 			continue
 		}
-		containerName := strings.TrimPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix)
+		containerName := strings.TrimPrefix(k, v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix)
 		if !podSpecHasContainer(spec, containerName) {
 			allErrs = append(allErrs, field.Invalid(fldPath.Key(k), containerName, "container not found"))
 		}
@@ -4720,10 +4720,10 @@ func ValidateAppArmorPodAnnotations(annotations map[string]string, spec *core.Po
 }
 
 func ValidateAppArmorProfileFormat(profile string) error {
-	if profile == "" || profile == v1.AppArmorBetaProfileRuntimeDefault || profile == v1.AppArmorBetaProfileNameUnconfined {
+	if profile == "" || profile == v1.DeprecatedAppArmorBetaProfileRuntimeDefault || profile == v1.DeprecatedAppArmorBetaProfileNameUnconfined {
 		return nil
 	}
-	if !strings.HasPrefix(profile, v1.AppArmorBetaProfileNamePrefix) {
+	if !strings.HasPrefix(profile, v1.DeprecatedAppArmorBetaProfileNamePrefix) {
 		return fmt.Errorf("invalid AppArmor profile name: %q", profile)
 	}
 	return nil
@@ -4752,25 +4752,25 @@ func validateAppArmorAnnotationsAndFieldsMatchOnCreate(objectMeta metav1.ObjectM
 			return true
 		}
 
-		key := core.AppArmorContainerAnnotationKeyPrefix + c.Name
+		key := core.DeprecatedAppArmorAnnotationKeyPrefix + c.Name
 		if annotation, found := objectMeta.Annotations[key]; found {
 			apparmorPath := cFldPath.Child("securityContext").Child("appArmorProfile")
 
 			switch containerProfile.Type {
 			case core.AppArmorProfileTypeUnconfined:
-				if annotation != core.AppArmorProfileNameUnconfined {
+				if annotation != core.DeprecatedAppArmorAnnotationValueUnconfined {
 					allErrs = append(allErrs, field.Forbidden(apparmorPath.Child("type"), "apparmor type in annotation and field must match"))
 				}
 
 			case core.AppArmorProfileTypeRuntimeDefault:
-				if annotation != core.AppArmorProfileRuntimeDefault {
+				if annotation != core.DeprecatedAppArmorAnnotationValueRuntimeDefault {
 					allErrs = append(allErrs, field.Forbidden(apparmorPath.Child("type"), "apparmor type in annotation and field must match"))
 				}
 
 			case core.AppArmorProfileTypeLocalhost:
-				if !strings.HasPrefix(annotation, core.AppArmorProfileLocalhostPrefix) {
+				if !strings.HasPrefix(annotation, core.DeprecatedAppArmorAnnotationValueLocalhostPrefix) {
 					allErrs = append(allErrs, field.Forbidden(apparmorPath.Child("type"), "apparmor type in annotation and field must match"))
-				} else if containerProfile.LocalhostProfile == nil || strings.TrimPrefix(annotation, core.AppArmorProfileLocalhostPrefix) != *containerProfile.LocalhostProfile {
+				} else if containerProfile.LocalhostProfile == nil || strings.TrimPrefix(annotation, core.DeprecatedAppArmorAnnotationValueLocalhostPrefix) != *containerProfile.LocalhostProfile {
 					allErrs = append(allErrs, field.Forbidden(apparmorPath.Child("localhostProfile"), "apparmor profile in annotation and field must match"))
 				}
 			}

pkg/apis/core/validation/validation_test.go

@@ -10430,7 +10430,7 @@ func TestValidatePod(t *testing.T) {
 				Name:      "123",
 				Namespace: "ns",
 				Annotations: map[string]string{
-					core.AppArmorContainerAnnotationKeyPrefix + "ctr": core.AppArmorProfileLocalhostPrefix + "foo",
+					core.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": core.DeprecatedAppArmorAnnotationValueLocalhostPrefix + "foo",
 				},
 			},
 			Spec: core.PodSpec{
@@ -10451,7 +10451,7 @@ func TestValidatePod(t *testing.T) {
 				Name:      "123",
 				Namespace: "ns",
 				Annotations: map[string]string{
-					core.AppArmorContainerAnnotationKeyPrefix + "ctr": core.AppArmorProfileLocalhostPrefix + "foo",
+					core.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": core.DeprecatedAppArmorAnnotationValueLocalhostPrefix + "foo",
 				},
 			},
 			Spec: core.PodSpec{
@@ -12166,7 +12166,7 @@ func TestValidatePod(t *testing.T) {
 					Name:      "123",
 					Namespace: "ns",
 					Annotations: map[string]string{
-						core.AppArmorContainerAnnotationKeyPrefix + "ctr": core.AppArmorProfileRuntimeDefault,
+						core.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": core.DeprecatedAppArmorAnnotationValueRuntimeDefault,
 					},
 				},
 				Spec: core.PodSpec{
@@ -12189,7 +12189,7 @@ func TestValidatePod(t *testing.T) {
 					Name:      "123",
 					Namespace: "ns",
 					Annotations: map[string]string{
-						core.AppArmorContainerAnnotationKeyPrefix + "ctr": core.AppArmorProfileRuntimeDefault,
+						core.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": core.DeprecatedAppArmorAnnotationValueRuntimeDefault,
 					},
 				},
 				Spec: core.PodSpec{
@@ -12211,7 +12211,7 @@ func TestValidatePod(t *testing.T) {
 					Name:      "123",
 					Namespace: "ns",
 					Annotations: map[string]string{
-						core.AppArmorContainerAnnotationKeyPrefix + "ctr": core.AppArmorProfileLocalhostPrefix + "foo",
+						core.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": core.DeprecatedAppArmorAnnotationValueLocalhostPrefix + "foo",
 					},
 				},
 				Spec: core.PodSpec{

pkg/registry/core/pod/strategy.go

@@ -777,7 +777,7 @@ func applyAppArmorVersionSkew(pod *api.Pod) {
 	podutil.VisitContainers(&pod.Spec, podutil.AllFeatureEnabledContainers(),
 		func(ctr *api.Container, _ podutil.ContainerType) bool {
 			// get possible annotation and field
-			key := api.AppArmorContainerAnnotationKeyPrefix + ctr.Name
+			key := api.DeprecatedAppArmorAnnotationKeyPrefix + ctr.Name
 			annotation, hasAnnotation := pod.Annotations[key]
 
 			var containerProfile *api.AppArmorProfile
@@ -824,14 +824,14 @@ func appArmorAnnotationForField(field *api.AppArmorProfile) string {
 	// trails the API version
 	switch field.Type {
 	case api.AppArmorProfileTypeUnconfined:
-		return api.AppArmorProfileNameUnconfined
+		return api.DeprecatedAppArmorAnnotationValueUnconfined
 
 	case api.AppArmorProfileTypeRuntimeDefault:
-		return api.AppArmorProfileRuntimeDefault
+		return api.DeprecatedAppArmorAnnotationValueRuntimeDefault
 
 	case api.AppArmorProfileTypeLocalhost:
 		if field.LocalhostProfile != nil {
-			return api.AppArmorProfileLocalhostPrefix + *field.LocalhostProfile
+			return api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + *field.LocalhostProfile
 		}
 	}
 
@@ -844,16 +844,16 @@ func appArmorAnnotationForField(field *api.AppArmorProfile) string {
 // apparmorFieldForAnnotation takes a pod annotation and returns the converted
 // apparmor profile field.
 func apparmorFieldForAnnotation(annotation string) *api.AppArmorProfile {
-	if annotation == api.AppArmorProfileNameUnconfined {
+	if annotation == api.DeprecatedAppArmorAnnotationValueUnconfined {
 		return &api.AppArmorProfile{Type: api.AppArmorProfileTypeUnconfined}
 	}
 
-	if annotation == api.AppArmorProfileRuntimeDefault {
+	if annotation == api.DeprecatedAppArmorAnnotationValueRuntimeDefault {
 		return &api.AppArmorProfile{Type: api.AppArmorProfileTypeRuntimeDefault}
 	}
 
-	if strings.HasPrefix(annotation, api.AppArmorProfileLocalhostPrefix) {
+	if strings.HasPrefix(annotation, api.DeprecatedAppArmorAnnotationValueLocalhostPrefix) {
-		localhostProfile := strings.TrimPrefix(annotation, api.AppArmorProfileLocalhostPrefix)
+		localhostProfile := strings.TrimPrefix(annotation, api.DeprecatedAppArmorAnnotationValueLocalhostPrefix)
 		if localhostProfile != "" {
 			return &api.AppArmorProfile{
 				Type:             api.AppArmorProfileTypeLocalhost,

pkg/registry/core/pod/strategy_test.go

@@ -2155,8 +2155,8 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileNameUnconfined,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueUnconfined,
-				api.AppArmorContainerAnnotationKeyPrefix + "ctr":  api.AppArmorProfileNameUnconfined,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr":  api.DeprecatedAppArmorAnnotationValueUnconfined,
 			}, pod.Annotations)
 		},
 	}, {
@@ -2174,8 +2174,8 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileRuntimeDefault,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
-				api.AppArmorContainerAnnotationKeyPrefix + "ctr":  api.AppArmorProfileRuntimeDefault,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr":  api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
 			}, pod.Annotations)
 		},
 	}, {
@@ -2194,8 +2194,8 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileLocalhostPrefix + testProfile,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile,
-				api.AppArmorContainerAnnotationKeyPrefix + "ctr":  api.AppArmorProfileLocalhostPrefix + testProfile,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr":  api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile,
 			}, pod.Annotations)
 		},
 	}, {
@@ -2243,7 +2243,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
 			}, pod.Annotations)
 			assert.Nil(t, pod.Spec.SecurityContext)
 			assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
@@ -2265,7 +2265,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileLocalhostPrefix + testProfile,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile,
 			}, pod.Annotations)
 			assert.Nil(t, pod.Spec.SecurityContext)
 			assert.Equal(t, api.AppArmorProfileTypeLocalhost, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
@@ -2291,7 +2291,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined,
 			}, pod.Annotations)
 			assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.SecurityContext.AppArmorProfile.Type)
 			assert.Equal(t, api.AppArmorProfileTypeUnconfined, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
@@ -2330,9 +2330,9 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileLocalhostPrefix + testProfile,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile,
-				api.AppArmorContainerAnnotationKeyPrefix + "a":    api.AppArmorProfileNameUnconfined,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "a":    api.DeprecatedAppArmorAnnotationValueUnconfined,
-				api.AppArmorContainerAnnotationKeyPrefix + "c":    api.AppArmorProfileRuntimeDefault,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "c":    api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
 			}, pod.Annotations)
 			assert.Nil(t, pod.Spec.SecurityContext)
 			assert.Equal(t, api.AppArmorProfileTypeLocalhost, pod.Spec.InitContainers[0].SecurityContext.AppArmorProfile.Type)
@@ -2345,7 +2345,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		pod: &api.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Annotations: map[string]string{
-					api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined,
+					api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined,
 				},
 			},
 			Spec: api.PodSpec{
@@ -2354,7 +2354,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined,
 			}, pod.Annotations)
 			assert.Equal(t, api.AppArmorProfileTypeUnconfined, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
 			assert.Nil(t, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.LocalhostProfile)
@@ -2365,7 +2365,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		pod: &api.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Annotations: map[string]string{
-					api.AppArmorContainerAnnotationKeyPrefix + "foo-bar": api.AppArmorProfileNameUnconfined,
+					api.DeprecatedAppArmorAnnotationKeyPrefix + "foo-bar": api.DeprecatedAppArmorAnnotationValueUnconfined,
 				},
 			},
 			Spec: api.PodSpec{
@@ -2374,7 +2374,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "foo-bar": api.AppArmorProfileNameUnconfined,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "foo-bar": api.DeprecatedAppArmorAnnotationValueUnconfined,
 			}, pod.Annotations)
 			assert.Nil(t, pod.Spec.Containers[0].SecurityContext)
 			assert.Nil(t, pod.Spec.SecurityContext)
@@ -2384,7 +2384,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		pod: &api.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Annotations: map[string]string{
-					api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault,
+					api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
 				},
 			},
 			Spec: api.PodSpec{
@@ -2401,7 +2401,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
 			}, pod.Annotations)
 			assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
 			assert.Nil(t, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.LocalhostProfile)
@@ -2412,9 +2412,9 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		pod: &api.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Annotations: map[string]string{
-					api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileNameUnconfined,
+					api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueUnconfined,
-					api.AppArmorContainerAnnotationKeyPrefix + "a":    api.AppArmorProfileLocalhostPrefix + testProfile,
+					api.DeprecatedAppArmorAnnotationKeyPrefix + "a":    api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile,
-					api.AppArmorContainerAnnotationKeyPrefix + "c":    api.AppArmorProfileRuntimeDefault,
+					api.DeprecatedAppArmorAnnotationKeyPrefix + "c":    api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
 				},
 			},
 			Spec: api.PodSpec{
@@ -2433,10 +2433,10 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileNameUnconfined,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueUnconfined,
-				api.AppArmorContainerAnnotationKeyPrefix + "a":    api.AppArmorProfileLocalhostPrefix + testProfile,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "a":    api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile,
-				api.AppArmorContainerAnnotationKeyPrefix + "b":    api.AppArmorProfileRuntimeDefault,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "b":    api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
-				api.AppArmorContainerAnnotationKeyPrefix + "c":    api.AppArmorProfileRuntimeDefault,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "c":    api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
 			}, pod.Annotations)
 			assert.Equal(t, api.AppArmorProfileTypeUnconfined, pod.Spec.InitContainers[0].SecurityContext.AppArmorProfile.Type)
 			assert.Equal(t, api.AppArmorProfileTypeLocalhost, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
@@ -2450,7 +2450,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		pod: &api.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Annotations: map[string]string{
-					api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileLocalhostPrefix + testProfile,
+					api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile,
 				},
 			},
 			Spec: api.PodSpec{
@@ -2466,7 +2466,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileLocalhostPrefix + testProfile,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile,
 			}, pod.Annotations)
 			assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
 			assert.Nil(t, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.LocalhostProfile)
@@ -2477,7 +2477,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		pod: &api.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Annotations: map[string]string{
-					api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault,
+					api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
 				},
 			},
 			Spec: api.PodSpec{
@@ -2493,7 +2493,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
 			}, pod.Annotations)
 			assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.SecurityContext.AppArmorProfile.Type)
 			// Annotation shouldn't be synced to container security context
@@ -2504,7 +2504,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		pod: &api.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Annotations: map[string]string{
-					api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined,
+					api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined,
 				},
 			},
 			Spec: api.PodSpec{
@@ -2520,7 +2520,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined,
 			}, pod.Annotations)
 			assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.SecurityContext.AppArmorProfile.Type)
 			assert.Equal(t, api.AppArmorProfileTypeUnconfined, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
@@ -2530,7 +2530,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		pod: &api.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Annotations: map[string]string{
-					api.AppArmorContainerAnnotationKeyPrefix + "unconf-annot": api.AppArmorProfileNameUnconfined,
+					api.DeprecatedAppArmorAnnotationKeyPrefix + "unconf-annot": api.DeprecatedAppArmorAnnotationValueUnconfined,
 				},
 			},
 			Spec: api.PodSpec{
@@ -2555,9 +2555,9 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "unconf-annot": api.AppArmorProfileNameUnconfined,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "unconf-annot": api.DeprecatedAppArmorAnnotationValueUnconfined,
-				api.AppArmorContainerAnnotationKeyPrefix + "unconf-field": api.AppArmorProfileNameUnconfined,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "unconf-field": api.DeprecatedAppArmorAnnotationValueUnconfined,
-				api.AppArmorContainerAnnotationKeyPrefix + "default-pod":  api.AppArmorProfileRuntimeDefault,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "default-pod":  api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
 			}, pod.Annotations)
 			assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.SecurityContext.AppArmorProfile.Type)
 			assert.Equal(t, api.AppArmorProfileTypeUnconfined, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
@@ -2569,7 +2569,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		pod: &api.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Annotations: map[string]string{
-					api.AppArmorContainerAnnotationKeyPrefix + "ctr": "not-a-real-type",
+					api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": "not-a-real-type",
 				},
 			},
 			Spec: api.PodSpec{
@@ -2578,7 +2578,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "ctr": "not-a-real-type",
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": "not-a-real-type",
 			}, pod.Annotations)
 			assert.Nil(t, pod.Spec.Containers[0].SecurityContext)
 			assert.Nil(t, pod.Spec.SecurityContext)
@@ -2604,7 +2604,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		pod: &api.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Annotations: map[string]string{
-					api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault,
+					api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
 				},
 			},
 			Spec: api.PodSpec{
@@ -2614,7 +2614,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
 		},
 		validation: func(t *testing.T, pod *api.Pod) {
 			assert.Equal(t, map[string]string{
-				api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault,
+				api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
 			}, pod.Annotations)
 			assert.Nil(t, pod.Spec.Containers[0].SecurityContext)
 		},

pkg/security/apparmor/helpers.go

@@ -43,8 +43,8 @@ func isRequired(pod *v1.Pod) bool {
 	}
 
 	for key, value := range pod.Annotations {
-		if strings.HasPrefix(key, v1.AppArmorBetaContainerAnnotationKeyPrefix) {
+		if strings.HasPrefix(key, v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) {
-			return value != v1.AppArmorBetaProfileNameUnconfined
+			return value != v1.DeprecatedAppArmorBetaProfileNameUnconfined
 		}
 	}
 	return false
@@ -72,21 +72,21 @@ func GetProfile(pod *v1.Pod, container *v1.Container) *v1.AppArmorProfile {
 // getProfileFromPodAnnotations gets the AppArmor profile to use with container from
 // (deprecated) pod annotations.
 func getProfileFromPodAnnotations(annotations map[string]string, containerName string) *v1.AppArmorProfile {
-	val, ok := annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+containerName]
+	val, ok := annotations[v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+containerName]
 	if !ok {
 		return nil
 	}
 
 	switch {
-	case val == v1.AppArmorBetaProfileRuntimeDefault:
+	case val == v1.DeprecatedAppArmorBetaProfileRuntimeDefault:
 		return &v1.AppArmorProfile{Type: v1.AppArmorProfileTypeRuntimeDefault}
 
-	case val == v1.AppArmorBetaProfileNameUnconfined:
+	case val == v1.DeprecatedAppArmorBetaProfileNameUnconfined:
 		return &v1.AppArmorProfile{Type: v1.AppArmorProfileTypeUnconfined}
 
-	case strings.HasPrefix(val, v1.AppArmorBetaProfileNamePrefix):
+	case strings.HasPrefix(val, v1.DeprecatedAppArmorBetaProfileNamePrefix):
 		// Note: an invalid empty localhost profile will be rejected by kubelet admission.
-		profileName := strings.TrimPrefix(val, v1.AppArmorBetaProfileNamePrefix)
+		profileName := strings.TrimPrefix(val, v1.DeprecatedAppArmorBetaProfileNamePrefix)
 		return &v1.AppArmorProfile{
 			Type:             v1.AppArmorProfileTypeLocalhost,
 			LocalhostProfile: &profileName,

pkg/security/apparmor/helpers_test.go

@@ -52,7 +52,7 @@ func TestGetProfile(t *testing.T) {
 		expectedProfile:  unconfined,
 	}, {
 		name:              "annotation profile",
-		annotationProfile: v1.AppArmorBetaProfileNamePrefix + "test",
+		annotationProfile: v1.DeprecatedAppArmorBetaProfileNamePrefix + "test",
 		expectedProfile:   localhost,
 	}, {
 		name:              "invalid annotation",
@@ -65,7 +65,7 @@ func TestGetProfile(t *testing.T) {
 		expectedProfile:   runtimeDefault,
 	}, {
 		name:              "container field before annotation",
-		annotationProfile: v1.AppArmorBetaProfileNameUnconfined,
+		annotationProfile: v1.DeprecatedAppArmorBetaProfileNameUnconfined,
 		containerProfile:  runtimeDefault,
 		expectedProfile:   runtimeDefault,
 	}, {
@@ -75,12 +75,12 @@ func TestGetProfile(t *testing.T) {
 		expectedProfile:  runtimeDefault,
 	}, {
 		name:              "annotation before pod field",
-		annotationProfile: v1.AppArmorBetaProfileNameUnconfined,
+		annotationProfile: v1.DeprecatedAppArmorBetaProfileNameUnconfined,
 		podProfile:        runtimeDefault,
 		expectedProfile:   unconfined,
 	}, {
 		name:              "all profiles",
-		annotationProfile: v1.AppArmorBetaProfileRuntimeDefault,
+		annotationProfile: v1.DeprecatedAppArmorBetaProfileRuntimeDefault,
 		containerProfile:  localhost,
 		podProfile:        unconfined,
 		expectedProfile:   localhost,
@@ -101,7 +101,7 @@ func TestGetProfile(t *testing.T) {
 					Name: "bar",
 					Annotations: map[string]string{
 						"unrelated": "baz",
-						v1.AppArmorBetaContainerAnnotationKeyPrefix + "other": v1.AppArmorBetaProfileRuntimeDefault,
+						v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "other": v1.DeprecatedAppArmorBetaProfileRuntimeDefault,
 					},
 				},
 				Spec: v1.PodSpec{
@@ -109,7 +109,7 @@ func TestGetProfile(t *testing.T) {
 				},
 			}
 			if test.annotationProfile != "" {
-				pod.Annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+container.Name] = test.annotationProfile
+				pod.Annotations[v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+container.Name] = test.annotationProfile
 			}
 			if test.podProfile != nil {
 				pod.Spec.SecurityContext = &v1.PodSecurityContext{

pkg/security/apparmor/validate_test.go

@@ -38,8 +38,8 @@ func TestValidateBadHost(t *testing.T) {
 		expectValid bool
 	}{
 		{"", true},
-		{v1.AppArmorBetaProfileRuntimeDefault, false},
+		{v1.DeprecatedAppArmorBetaProfileRuntimeDefault, false},
-		{v1.AppArmorBetaProfileNamePrefix + "docker-default", false},
+		{v1.DeprecatedAppArmorBetaProfileNamePrefix + "docker-default", false},
 	}
 
 	for _, test := range tests {
@@ -60,12 +60,12 @@ func TestValidateValidHost(t *testing.T) {
 		expectValid bool
 	}{
 		{"", true},
-		{v1.AppArmorBetaProfileRuntimeDefault, true},
+		{v1.DeprecatedAppArmorBetaProfileRuntimeDefault, true},
-		{v1.AppArmorBetaProfileNamePrefix + "docker-default", true},
+		{v1.DeprecatedAppArmorBetaProfileNamePrefix + "docker-default", true},
-		{v1.AppArmorBetaProfileNamePrefix + "foo-container", true},
+		{v1.DeprecatedAppArmorBetaProfileNamePrefix + "foo-container", true},
-		{v1.AppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true},
+		{v1.DeprecatedAppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true},
-		{v1.AppArmorBetaProfileNamePrefix + "", false}, // Empty profile explicitly forbidden.
+		{v1.DeprecatedAppArmorBetaProfileNamePrefix + "", false}, // Empty profile explicitly forbidden.
-		{v1.AppArmorBetaProfileNamePrefix + " ", false},
+		{v1.DeprecatedAppArmorBetaProfileNamePrefix + " ", false},
 	}
 
 	for _, test := range tests {
@@ -81,9 +81,9 @@ func TestValidateValidHost(t *testing.T) {
 	pod := &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Annotations: map[string]string{
-				v1.AppArmorBetaContainerAnnotationKeyPrefix + "init":  v1.AppArmorBetaProfileNamePrefix + "foo-container",
+				v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "init":  v1.DeprecatedAppArmorBetaProfileNamePrefix + "foo-container",
-				v1.AppArmorBetaContainerAnnotationKeyPrefix + "test1": v1.AppArmorBetaProfileRuntimeDefault,
+				v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test1": v1.DeprecatedAppArmorBetaProfileRuntimeDefault,
-				v1.AppArmorBetaContainerAnnotationKeyPrefix + "test2": v1.AppArmorBetaProfileNamePrefix + "docker-default",
+				v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test2": v1.DeprecatedAppArmorBetaProfileNamePrefix + "docker-default",
 			},
 		},
 		Spec: v1.PodSpec{
@@ -102,7 +102,7 @@ func TestValidateValidHost(t *testing.T) {
 
 func getPodWithProfile(profile string) *v1.Pod {
 	annotations := map[string]string{
-		v1.AppArmorBetaContainerAnnotationKeyPrefix + "test": profile,
+		v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test": profile,
 	}
 	if profile == "" {
 		annotations = map[string]string{

staging/src/k8s.io/api/core/v1/annotation_key_constants.go

@@ -54,18 +54,18 @@ const (
 	// SeccompLocalhostProfileNamePrefix is the prefix for specifying profiles loaded from the node's disk.
 	SeccompLocalhostProfileNamePrefix = "localhost/"
 
-	// AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile.
+	// DeprecatedAppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile.
 	// Deprecated: use a pod or container security context `appArmorProfile` field instead.
-	AppArmorBetaContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
+	DeprecatedAppArmorBetaContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
 
-	// AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default.
+	// DeprecatedAppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default.
-	AppArmorBetaProfileRuntimeDefault = "runtime/default"
+	DeprecatedAppArmorBetaProfileRuntimeDefault = "runtime/default"
 
-	// AppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node.
+	// DeprecatedAppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node.
-	AppArmorBetaProfileNamePrefix = "localhost/"
+	DeprecatedAppArmorBetaProfileNamePrefix = "localhost/"
 
-	// AppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile
+	// DeprecatedAppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile
-	AppArmorBetaProfileNameUnconfined = "unconfined"
+	DeprecatedAppArmorBetaProfileNameUnconfined = "unconfined"
 
 	// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker.
 	// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.

staging/src/k8s.io/pod-security-admission/policy/check_appArmorProfile.go

@@ -66,8 +66,8 @@ func CheckAppArmorProfile() Check {
 
 func allowedAnnotationValue(profile string) bool {
 	return len(profile) == 0 ||
-		profile == corev1.AppArmorBetaProfileRuntimeDefault ||
+		profile == corev1.DeprecatedAppArmorBetaProfileRuntimeDefault ||
-		strings.HasPrefix(profile, corev1.AppArmorBetaProfileNamePrefix)
+		strings.HasPrefix(profile, corev1.DeprecatedAppArmorBetaProfileNamePrefix)
 }
 
 func allowedProfileType(profile corev1.AppArmorProfileType) bool {
@@ -114,7 +114,7 @@ func appArmorProfile_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec
 
 	var forbiddenAnnotations []string
 	for k, v := range podMetadata.Annotations {
-		if strings.HasPrefix(k, corev1.AppArmorBetaContainerAnnotationKeyPrefix) && !allowedAnnotationValue(v) {
+		if strings.HasPrefix(k, corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) && !allowedAnnotationValue(v) {
 			forbiddenAnnotations = append(forbiddenAnnotations, fmt.Sprintf("%s=%q", k, v))
 		}
 	}

staging/src/k8s.io/pod-security-admission/policy/check_appArmorProfile_test.go

@@ -33,7 +33,7 @@ func TestCheckAppArmor_Allowed(t *testing.T) {
 		{
 			name: "container with default AppArmor + extra annotations",
 			metaData: &metav1.ObjectMeta{Annotations: map[string]string{
-				corev1.AppArmorBetaProfileNamePrefix + "test": "runtime/default",
+				corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test": "runtime/default",
 				"env": "prod",
 			}},
 			podSpec: &corev1.PodSpec{},
@@ -41,7 +41,7 @@ func TestCheckAppArmor_Allowed(t *testing.T) {
 		{
 			name: "container with local AppArmor + extra annotations",
 			metaData: &metav1.ObjectMeta{Annotations: map[string]string{
-				corev1.AppArmorBetaProfileNamePrefix + "test": "localhost/sec-profile01",
+				corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test": "localhost/sec-profile01",
 				"env": "dev",
 			}},
 			podSpec: &corev1.PodSpec{},

staging/src/k8s.io/pod-security-admission/test/fixtures_appArmorProfile.go

@@ -32,10 +32,10 @@ func init() {
 				// container with localhost/foo annotation
 				tweak(pod, func(copy *corev1.Pod) {
 					containerName := copy.Spec.Containers[0].Name
-					copy.Annotations[corev1.AppArmorBetaContainerAnnotationKeyPrefix+containerName] = "runtime/default"
+					copy.Annotations[corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+containerName] = "runtime/default"
 
 					initContainerName := copy.Spec.Containers[0].Name
-					copy.Annotations[corev1.AppArmorBetaContainerAnnotationKeyPrefix+initContainerName] = "localhost/foo"
+					copy.Annotations[corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+initContainerName] = "localhost/foo"
 				}),
 			}
 		},
@@ -45,13 +45,13 @@ func init() {
 				// container with unconfined annotation
 				tweak(pod, func(copy *corev1.Pod) {
 					name := copy.Spec.Containers[0].Name
-					copy.Annotations[corev1.AppArmorBetaContainerAnnotationKeyPrefix+name] = "unconfined"
+					copy.Annotations[corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+name] = "unconfined"
 				}),
 
 				// initContainer with unconfined annotation
 				tweak(pod, func(copy *corev1.Pod) {
 					name := copy.Spec.InitContainers[0].Name
-					copy.Annotations[corev1.AppArmorBetaContainerAnnotationKeyPrefix+name] = "unconfined"
+					copy.Annotations[corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+name] = "unconfined"
 				}),
 			}
 		},

test/e2e/node/apparmor.go

@@ -66,9 +66,9 @@ var _ = SIGDescribe("AppArmor", func() {
 			pod := e2esecurity.AppArmorTestPod(f.Namespace.Name, false, true)
 			// Move AppArmor profile to the annotations.
 			profile := pod.Spec.SecurityContext.AppArmorProfile
-			key := v1.AppArmorBetaContainerAnnotationKeyPrefix + pod.Spec.Containers[0].Name
+			key := v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + pod.Spec.Containers[0].Name
 			pod.Annotations = map[string]string{
-				key: v1.AppArmorBetaProfileNamePrefix + *profile.LocalhostProfile,
+				key: v1.DeprecatedAppArmorBetaProfileNamePrefix + *profile.LocalhostProfile,
 			}
 			pod.Spec.SecurityContext = nil
 

test/e2e_node/apparmor_test.go

@@ -60,11 +60,11 @@ var _ = SIGDescribe("AppArmor", feature.AppArmor, nodefeature.AppArmor, func() {
 			f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
 
 			ginkgo.It("should reject an unloaded profile", func(ctx context.Context) {
-				status := runAppArmorTest(ctx, f, false, v1.AppArmorBetaProfileNamePrefix+"non-existent-profile")
+				status := runAppArmorTest(ctx, f, false, v1.DeprecatedAppArmorBetaProfileNamePrefix+"non-existent-profile")
 				gomega.Expect(status.ContainerStatuses[0].State.Waiting.Message).To(gomega.ContainSubstring("apparmor"))
 			})
 			ginkgo.It("should enforce a profile blocking writes", func(ctx context.Context) {
-				status := runAppArmorTest(ctx, f, true, v1.AppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"deny-write")
+				status := runAppArmorTest(ctx, f, true, v1.DeprecatedAppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"deny-write")
 				if len(status.ContainerStatuses) == 0 {
 					framework.Failf("Unexpected pod status: %s", dump.Pretty(status))
 					return
@@ -75,7 +75,7 @@ var _ = SIGDescribe("AppArmor", feature.AppArmor, nodefeature.AppArmor, func() {
 
 			})
 			ginkgo.It("should enforce a permissive profile", func(ctx context.Context) {
-				status := runAppArmorTest(ctx, f, true, v1.AppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"audit-write")
+				status := runAppArmorTest(ctx, f, true, v1.DeprecatedAppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"audit-write")
 				if len(status.ContainerStatuses) == 0 {
 					framework.Failf("Unexpected pod status: %s", dump.Pretty(status))
 					return
@@ -91,7 +91,7 @@ var _ = SIGDescribe("AppArmor", feature.AppArmor, nodefeature.AppArmor, func() {
 			f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
 
 			ginkgo.It("should reject a pod with an AppArmor profile", func(ctx context.Context) {
-				status := runAppArmorTest(ctx, f, false, v1.AppArmorBetaProfileRuntimeDefault)
+				status := runAppArmorTest(ctx, f, false, v1.DeprecatedAppArmorBetaProfileRuntimeDefault)
 				expectSoftRejection(status)
 			})
 		})
@@ -214,7 +214,7 @@ func createPodWithAppArmor(ctx context.Context, f *framework.Framework, profile
 		ObjectMeta: metav1.ObjectMeta{
 			Name: fmt.Sprintf("test-apparmor-%s", strings.Replace(profile, "/", "-", -1)),
 			Annotations: map[string]string{
-				v1.AppArmorBetaContainerAnnotationKeyPrefix + "test": profile,
+				v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test": profile,
 			},
 		},
 		Spec: v1.PodSpec{