github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Separate feature-gate for AppArmor fields

Browse Source
This commit is contained in:
Tim Allclair
2024-03-05 17:04:36 -08:00
parent 22068e0cc7
commit 2d86cbf261
6 changed files with 86 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/security/apparmor/helpers.go
View File

@@ -20,7 +20,9 @@ import (
"strings"
v1 "k8s.io/api/core/v1"
utilfeature "k8s.io/apiserver/pkg/util/feature"
podutil "k8s.io/kubernetes/pkg/api/v1/pod"
"k8s.io/kubernetes/pkg/features"
)
// Checks whether app armor is required for the pod to run. AppArmor is considered required if any
@@ -52,6 +54,10 @@ func isRequired(pod *v1.Pod) bool {
// GetProfileName returns the name of the profile to use with the container.
func GetProfile(pod *v1.Pod, container *v1.Container) *v1.AppArmorProfile {
if !utilfeature.DefaultFeatureGate.Enabled(features.AppArmorFields) {
return getProfileFromPodAnnotations(pod.Annotations, container.Name)
}
if container.SecurityContext != nil && container.SecurityContext.AppArmorProfile != nil {
return container.SecurityContext.AppArmorProfile
}