github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add AppArmor feature gate

Browse Source
This commit is contained in:
Tim St. Clair
2016-08-25 17:40:18 -07:00
parent 75fba4c953
commit 9bde6f0770
3 changed files with 25 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
pkg/api/validation/validation.go
View File

@@ -38,6 +38,7 @@ import (
"k8s.io/kubernetes/pkg/capabilities"
"k8s.io/kubernetes/pkg/labels"
"k8s.io/kubernetes/pkg/security/apparmor"
utilconfig "k8s.io/kubernetes/pkg/util/config"
"k8s.io/kubernetes/pkg/util/intstr"
"k8s.io/kubernetes/pkg/util/sets"
"k8s.io/kubernetes/pkg/util/validation"
@@ -2119,13 +2120,17 @@ func ValidateAppArmorPodAnnotations(annotations map[string]string, spec *api.Pod
if !strings.HasPrefix(k, apparmor.ContainerAnnotationKeyPrefix) {
continue
}
if !utilconfig.DefaultFeatureGate.AppArmor() {
allErrs = append(allErrs, field.Forbidden(fldPath.Key(k), "AppArmor is disabled by feature-gate"))
continue
}
containerName := strings.TrimPrefix(k, apparmor.ContainerAnnotationKeyPrefix)
if !podSpecHasContainer(spec, containerName) {
allErrs = append(allErrs, field.Invalid(fldPath.Child(k), containerName, "container not found"))
allErrs = append(allErrs, field.Invalid(fldPath.Key(k), containerName, "container not found"))
}
if err := apparmor.ValidateProfileFormat(p); err != nil {
allErrs = append(allErrs, field.Invalid(fldPath.Child(k), p, err.Error()))
allErrs = append(allErrs, field.Invalid(fldPath.Key(k), p, err.Error()))
}
}