github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Promote AppArmor annotations to beta

Browse Source
This commit is contained in:
Tim St. Clair 2016-08-25 15:40:32 -07:00
parent 75fba4c953
commit a5b7212453
No known key found for this signature in database
GPG Key ID: 434D16BCEF479EAB
3 changed files with 25 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/security/apparmor/helpers.go
View File

@ -25,11 +25,11 @@ import (
// TODO: Move these values into the API package. // TODO: Move these values into the API package.
const ( const (
// The prefix to an annotation key specifying a container profile. // The prefix to an annotation key specifying a container profile.
ContainerAnnotationKeyPrefix = "container.apparmor.security.alpha.kubernetes.io/" ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
// The annotation key specifying the default AppArmor profile. // The annotation key specifying the default AppArmor profile.
DefaultProfileAnnotationKey = "apparmor.security.alpha.kubernetes.io/defaultProfileName" DefaultProfileAnnotationKey = "apparmor.security.beta.kubernetes.io/defaultProfileName"
// The annotation key specifying the allowed AppArmor profiles. // The annotation key specifying the allowed AppArmor profiles.
AllowedProfilesAnnotationKey = "apparmor.security.alpha.kubernetes.io/allowedProfileNames" AllowedProfilesAnnotationKey = "apparmor.security.beta.kubernetes.io/allowedProfileNames"
// The profile specifying the runtime default. // The profile specifying the runtime default.
ProfileRuntimeDefault = "runtime/default" ProfileRuntimeDefault = "runtime/default"

34
pkg/security/apparmor/validate_test.go
View File

@ -60,12 +60,12 @@ func TestValidateProfile(t *testing.T) {
expectValid bool expectValid bool
}{ }{
{"", true}, {"", true},
{"runtime/default", true}, {ProfileRuntimeDefault, true},
{"baz", false}, // Missing local prefix. {"baz", false}, // Missing local prefix.
{"localhost//usr/sbin/ntpd", true}, {ProfileNamePrefix + "/usr/sbin/ntpd", true},
{"localhost/foo-bar", true}, {ProfileNamePrefix + "foo-bar", true},
{"localhost/unloaded", false}, // Not loaded. {ProfileNamePrefix + "unloaded", false}, // Not loaded.
{"localhost/", false}, {ProfileNamePrefix + "", false},
} }
for _, test := range tests { for _, test := range tests {
@ -89,8 +89,8 @@ func TestValidateBadHost(t *testing.T) {
expectValid bool expectValid bool
}{ }{
{"", true}, {"", true},
{"runtime/default", false}, {ProfileRuntimeDefault, false},
{"localhost/docker-default", false}, {ProfileNamePrefix + "docker-default", false},
} }
for _, test := range tests { for _, test := range tests {
@ -113,13 +113,13 @@ func TestValidateValidHost(t *testing.T) {
expectValid bool expectValid bool
}{ }{
{"", true}, {"", true},
{"runtime/default", true}, {ProfileRuntimeDefault, true},
{"localhost/docker-default", true}, {ProfileNamePrefix + "docker-default", true},
{"localhost/foo-container", true}, {ProfileNamePrefix + "foo-container", true},
{"localhost//usr/sbin/ntpd", true}, {ProfileNamePrefix + "/usr/sbin/ntpd", true},
{"docker-default", false}, {"docker-default", false},
{"localhost/foo", false}, {ProfileNamePrefix + "foo", false},
{"localhost/", false}, {ProfileNamePrefix + "", false},
} }
for _, test := range tests { for _, test := range tests {
@ -135,9 +135,9 @@ func TestValidateValidHost(t *testing.T) {
pod := &api.Pod{ pod := &api.Pod{
ObjectMeta: api.ObjectMeta{ ObjectMeta: api.ObjectMeta{
Annotations: map[string]string{ Annotations: map[string]string{
"container.apparmor.security.alpha.kubernetes.io/init": "localhost/foo-container", ContainerAnnotationKeyPrefix + "init": ProfileNamePrefix + "foo-container",
"container.apparmor.security.alpha.kubernetes.io/test1": "runtime/default", ContainerAnnotationKeyPrefix + "test1": ProfileRuntimeDefault,
"container.apparmor.security.alpha.kubernetes.io/test2": "localhost/docker-default", ContainerAnnotationKeyPrefix + "test2": ProfileNamePrefix + "docker-default",
}, },
}, },
Spec: api.PodSpec{ Spec: api.PodSpec{
@ -173,7 +173,7 @@ func TestParseProfileName(t *testing.T) {
func getPodWithProfile(profile string) *api.Pod { func getPodWithProfile(profile string) *api.Pod {
annotations := map[string]string{ annotations := map[string]string{
"container.apparmor.security.alpha.kubernetes.io/test": profile, ContainerAnnotationKeyPrefix + "test": profile,
} }
if profile == "" { if profile == "" {
annotations = map[string]string{ annotations = map[string]string{

10
test/e2e_node/apparmor_test.go
View File

@ -53,12 +53,12 @@ func testAppArmorNode() {
f := framework.NewDefaultFramework("apparmor-test") f := framework.NewDefaultFramework("apparmor-test")
It("should reject an unloaded profile", func() { It("should reject an unloaded profile", func() {
status := runAppArmorTest(f, "localhost/"+"non-existant-profile") status := runAppArmorTest(f, apparmor.ProfileNamePrefix+"non-existant-profile")
Expect(status.Phase).To(Equal(api.PodFailed), "PodStatus: %+v", status) Expect(status.Phase).To(Equal(api.PodFailed), "PodStatus: %+v", status)
Expect(status.Reason).To(Equal("AppArmor"), "PodStatus: %+v", status) Expect(status.Reason).To(Equal("AppArmor"), "PodStatus: %+v", status)
}) })
It("should enforce a profile blocking writes", func() { It("should enforce a profile blocking writes", func() {
status := runAppArmorTest(f, "localhost/"+apparmorProfilePrefix+"deny-write") status := runAppArmorTest(f, apparmor.ProfileNamePrefix+apparmorProfilePrefix+"deny-write")
if len(status.ContainerStatuses) == 0 { if len(status.ContainerStatuses) == 0 {
framework.Failf("Unexpected pod status: %s", spew.Sdump(status)) framework.Failf("Unexpected pod status: %s", spew.Sdump(status))
return return
@ -68,7 +68,7 @@ func testAppArmorNode() {
}) })
It("should enforce a permissive profile", func() { It("should enforce a permissive profile", func() {
status := runAppArmorTest(f, "localhost/"+apparmorProfilePrefix+"audit-write") status := runAppArmorTest(f, apparmor.ProfileNamePrefix+apparmorProfilePrefix+"audit-write")
if len(status.ContainerStatuses) == 0 { if len(status.ContainerStatuses) == 0 {
framework.Failf("Unexpected pod status: %s", spew.Sdump(status)) framework.Failf("Unexpected pod status: %s", spew.Sdump(status))
return return
@ -84,7 +84,7 @@ func testNonAppArmorNode() {
f := framework.NewDefaultFramework("apparmor-test") f := framework.NewDefaultFramework("apparmor-test")
It("should reject a pod with an AppArmor profile", func() { It("should reject a pod with an AppArmor profile", func() {
status := runAppArmorTest(f, "runtime/default") status := runAppArmorTest(f, apparmor.ProfileRuntimeDefault)
Expect(status.Phase).To(Equal(api.PodFailed), "PodStatus: %+v", status) Expect(status.Phase).To(Equal(api.PodFailed), "PodStatus: %+v", status)
Expect(status.Reason).To(Equal("AppArmor"), "PodStatus: %+v", status) Expect(status.Reason).To(Equal("AppArmor"), "PodStatus: %+v", status)
}) })
@ -159,7 +159,7 @@ func createPodWithAppArmor(f *framework.Framework, profile string) *api.Pod {
ObjectMeta: api.ObjectMeta{ ObjectMeta: api.ObjectMeta{
Name: fmt.Sprintf("test-apparmor-%s", strings.Replace(profile, "/", "-", -1)), Name: fmt.Sprintf("test-apparmor-%s", strings.Replace(profile, "/", "-", -1)),
Annotations: map[string]string{ Annotations: map[string]string{
"container.apparmor.security.alpha.kubernetes.io/test": profile, apparmor.ContainerAnnotationKeyPrefix + "test": profile,
}, },
}, },
Spec: api.PodSpec{ Spec: api.PodSpec{