Merge pull request #125257 from vinayakankugoyal/armor
KEP-24: Update AppArmor feature gates to GA stage.
This commit is contained in:
Kubernetes Prow Robot
@@ -628,25 +628,6 @@ func dropDisabledFields(
|
||||
podSpec = &api.PodSpec{}
|
||||
}
|
||||
|
||||
if !utilfeature.DefaultFeatureGate.Enabled(features.AppArmor) && !appArmorAnnotationsInUse(oldPodAnnotations) {
|
||||
for k := range podAnnotations {
|
||||
if strings.HasPrefix(k, api.DeprecatedAppArmorAnnotationKeyPrefix) {
|
||||
delete(podAnnotations, k)
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!utilfeature.DefaultFeatureGate.Enabled(features.AppArmor) || !utilfeature.DefaultFeatureGate.Enabled(features.AppArmorFields)) && !appArmorFieldsInUse(oldPodSpec) {
|
||||
if podSpec.SecurityContext != nil {
|
||||
podSpec.SecurityContext.AppArmorProfile = nil
|
||||
}
|
||||
VisitContainers(podSpec, AllContainers, func(c *api.Container, _ ContainerType) bool {
|
||||
if c.SecurityContext != nil {
|
||||
c.SecurityContext.AppArmorProfile = nil
|
||||
}
|
||||
return true
|
||||
})
|
||||
}
|
||||
|
||||
// If the feature is disabled and not in use, drop the hostUsers field.
|
||||
if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesSupport) && !hostUsersInUse(oldPodSpec) {
|
||||
// Drop the field in podSpec only if SecurityContext is not nil.
|
||||
|
||||
@@ -769,45 +769,36 @@ func TestDropAppArmor(t *testing.T) {
|
||||
}}
|
||||
|
||||
for _, test := range tests {
|
||||
for _, enabled := range []bool{true, false} {
|
||||
for _, fieldsEnabled := range []bool{true, false} {
|
||||
t.Run(fmt.Sprintf("%v/enabled=%v/fields=%v", test.description, enabled, fieldsEnabled), func(t *testing.T) {
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AppArmor, enabled)
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AppArmorFields, fieldsEnabled)
|
||||
|
||||
newPod := test.pod.DeepCopy()
|
||||
t.Run(fmt.Sprintf("%v", test.description), func(t *testing.T) {
|
||||
newPod := test.pod.DeepCopy()
|
||||
|
||||
if hasAnnotations := appArmorAnnotationsInUse(newPod.Annotations); hasAnnotations != test.hasAnnotations {
|
||||
t.Errorf("appArmorAnnotationsInUse does not match expectation: %t != %t", hasAnnotations, test.hasAnnotations)
|
||||
}
|
||||
if hasFields := appArmorFieldsInUse(&newPod.Spec); hasFields != test.hasFields {
|
||||
t.Errorf("appArmorFieldsInUse does not match expectation: %t != %t", hasFields, test.hasFields)
|
||||
}
|
||||
|
||||
DropDisabledPodFields(newPod, newPod)
|
||||
require.Equal(t, &test.pod, newPod, "unchanged pod should never be mutated")
|
||||
|
||||
DropDisabledPodFields(newPod, nil)
|
||||
|
||||
if enabled && fieldsEnabled {
|
||||
assert.Equal(t, &test.pod, newPod, "pod should not be mutated when both feature gates are enabled")
|
||||
return
|
||||
}
|
||||
|
||||
expectAnnotations := test.hasAnnotations && enabled
|
||||
assert.Equal(t, expectAnnotations, appArmorAnnotationsInUse(newPod.Annotations), "AppArmor annotations expectation")
|
||||
if expectAnnotations == test.hasAnnotations {
|
||||
assert.Equal(t, test.pod.Annotations, newPod.Annotations, "annotations should not be mutated")
|
||||
}
|
||||
|
||||
expectFields := test.hasFields && enabled && fieldsEnabled
|
||||
assert.Equal(t, expectFields, appArmorFieldsInUse(&newPod.Spec), "AppArmor fields expectation")
|
||||
if expectFields == test.hasFields {
|
||||
assert.Equal(t, &test.pod.Spec, &newPod.Spec, "PodSpec should not be mutated")
|
||||
}
|
||||
})
|
||||
if hasAnnotations := appArmorAnnotationsInUse(newPod.Annotations); hasAnnotations != test.hasAnnotations {
|
||||
t.Errorf("appArmorAnnotationsInUse does not match expectation: %t != %t", hasAnnotations, test.hasAnnotations)
|
||||
}
|
||||
}
|
||||
if hasFields := appArmorFieldsInUse(&newPod.Spec); hasFields != test.hasFields {
|
||||
t.Errorf("appArmorFieldsInUse does not match expectation: %t != %t", hasFields, test.hasFields)
|
||||
}
|
||||
|
||||
DropDisabledPodFields(newPod, newPod)
|
||||
require.Equal(t, &test.pod, newPod, "unchanged pod should never be mutated")
|
||||
|
||||
DropDisabledPodFields(newPod, nil)
|
||||
assert.Equal(t, &test.pod, newPod, "pod should not be mutated when both feature gates are enabled")
|
||||
|
||||
expectAnnotations := test.hasAnnotations
|
||||
assert.Equal(t, expectAnnotations, appArmorAnnotationsInUse(newPod.Annotations), "AppArmor annotations expectation")
|
||||
if expectAnnotations == test.hasAnnotations {
|
||||
assert.Equal(t, test.pod.Annotations, newPod.Annotations, "annotations should not be mutated")
|
||||
}
|
||||
|
||||
expectFields := test.hasFields
|
||||
assert.Equal(t, expectFields, appArmorFieldsInUse(&newPod.Spec), "AppArmor fields expectation")
|
||||
if expectFields == test.hasFields {
|
||||
assert.Equal(t, &test.pod.Spec, &newPod.Spec, "PodSpec should not be mutated")
|
||||
}
|
||||
})
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -24,12 +24,10 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
nodeapi "k8s.io/kubernetes/pkg/api/node"
|
||||
pvcutil "k8s.io/kubernetes/pkg/api/persistentvolumeclaim"
|
||||
api "k8s.io/kubernetes/pkg/apis/core"
|
||||
"k8s.io/kubernetes/pkg/apis/core/pods"
|
||||
"k8s.io/kubernetes/pkg/features"
|
||||
)
|
||||
|
||||
func GetWarningsForPod(ctx context.Context, pod, oldPod *api.Pod) []string {
|
||||
@@ -225,14 +223,13 @@ func warningsForPodSpecAndMeta(fieldPath *field.Path, podSpec *api.PodSpec, meta
|
||||
}
|
||||
|
||||
// use of container AppArmor annotation without accompanying field
|
||||
if utilfeature.DefaultFeatureGate.Enabled(features.AppArmorFields) {
|
||||
isPodTemplate := fieldPath != nil // Pod warnings are emitted through applyAppArmorVersionSkew instead.
|
||||
hasAppArmorField := hasPodAppArmorProfile || (c.SecurityContext != nil && c.SecurityContext.AppArmorProfile != nil)
|
||||
if isPodTemplate && !hasAppArmorField {
|
||||
key := api.DeprecatedAppArmorAnnotationKeyPrefix + c.Name
|
||||
if _, exists := meta.Annotations[key]; exists {
|
||||
warnings = append(warnings, fmt.Sprintf(`%s: deprecated since v1.30; use the "appArmorProfile" field instead`, fieldPath.Child("metadata", "annotations").Key(key)))
|
||||
}
|
||||
|
||||
isPodTemplate := fieldPath != nil // Pod warnings are emitted through applyAppArmorVersionSkew instead.
|
||||
hasAppArmorField := hasPodAppArmorProfile || (c.SecurityContext != nil && c.SecurityContext.AppArmorProfile != nil)
|
||||
if isPodTemplate && !hasAppArmorField {
|
||||
key := api.DeprecatedAppArmorAnnotationKeyPrefix + c.Name
|
||||
if _, exists := meta.Annotations[key]; exists {
|
||||
warnings = append(warnings, fmt.Sprintf(`%s: deprecated since v1.30; use the "appArmorProfile" field instead`, fieldPath.Child("metadata", "annotations").Key(key)))
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user