github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #123811 from tallclair/apparmor-ga

Browse Source 
Keep providing the deprecated AppArmor CRI API for runtimes that haven't migrated
This commit is contained in:
Kubernetes Prow Robot
2024-03-07 16:18:44 -08:00
committed by GitHub
parent 364ef335db 04ac13b6b7
commit b1741c004b
3 changed files with 32 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
pkg/kubelet/kuberuntime/helpers.go
View File

@@ -288,34 +288,44 @@ func (m *kubeGenericRuntimeManager) getSeccompProfile(annotations map[string]str
}, nil }, nil
} }
func getAppArmorProfile(pod *v1.Pod, container *v1.Container) (*runtimeapi.SecurityProfile, error) { func getAppArmorProfile(pod *v1.Pod, container *v1.Container) (*runtimeapi.SecurityProfile, string, error) {
profile := apparmor.GetProfile(pod, container) profile := apparmor.GetProfile(pod, container)
if profile == nil { if profile == nil {
return nil, nil return nil, "", nil
} }
var (
securityProfile *runtimeapi.SecurityProfile
deprecatedProfile string // Deprecated apparmor profile format, still provided for backwards compatibility with older runtimes.
)
switch profile.Type { switch profile.Type {
case v1.AppArmorProfileTypeRuntimeDefault: case v1.AppArmorProfileTypeRuntimeDefault:
return &runtimeapi.SecurityProfile{ securityProfile = &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_RuntimeDefault, ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
}, nil }
deprecatedProfile = v1.DeprecatedAppArmorBetaProfileRuntimeDefault
case v1.AppArmorProfileTypeUnconfined: case v1.AppArmorProfileTypeUnconfined:
return &runtimeapi.SecurityProfile{ securityProfile = &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Unconfined, ProfileType: runtimeapi.SecurityProfile_Unconfined,
}, nil }
deprecatedProfile = v1.DeprecatedAppArmorBetaProfileNameUnconfined
case v1.AppArmorProfileTypeLocalhost: case v1.AppArmorProfileTypeLocalhost:
if profile.LocalhostProfile == nil { if profile.LocalhostProfile == nil {
return nil, errors.New("missing localhost apparmor profile name") return nil, "", errors.New("missing localhost apparmor profile name")
} }
return &runtimeapi.SecurityProfile{ securityProfile = &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Localhost, ProfileType: runtimeapi.SecurityProfile_Localhost,
LocalhostRef: *profile.LocalhostProfile, LocalhostRef: *profile.LocalhostProfile,
}, nil }
deprecatedProfile = v1.DeprecatedAppArmorBetaProfileNamePrefix + *profile.LocalhostProfile
default: default:
// Shouldn't happen. // Shouldn't happen.
return nil, fmt.Errorf("unknown apparmor profile type: %q", profile.Type) return nil, "", fmt.Errorf("unknown apparmor profile type: %q", profile.Type)
} }
return securityProfile, deprecatedProfile, nil
} }

17
pkg/kubelet/kuberuntime/helpers_test.go
View File

@@ -367,10 +367,11 @@ func TestToKubeContainerState(t *testing.T) {
func TestGetAppArmorProfile(t *testing.T) { func TestGetAppArmorProfile(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
podProfile *v1.AppArmorProfile podProfile *v1.AppArmorProfile
expectedProfile *runtimeapi.SecurityProfile expectedProfile *runtimeapi.SecurityProfile
expectError bool expectedOldProfile string
expectError bool
}{{ }{{
name: "no appArmor", name: "no appArmor",
expectedProfile: nil, expectedProfile: nil,
@@ -380,12 +381,14 @@ func TestGetAppArmorProfile(t *testing.T) {
expectedProfile: &runtimeapi.SecurityProfile{ expectedProfile: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_RuntimeDefault, ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
}, },
expectedOldProfile: "runtime/default",
}, { }, {
name: "unconfined", name: "unconfined",
podProfile: &v1.AppArmorProfile{Type: v1.AppArmorProfileTypeUnconfined}, podProfile: &v1.AppArmorProfile{Type: v1.AppArmorProfileTypeUnconfined},
expectedProfile: &runtimeapi.SecurityProfile{ expectedProfile: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Unconfined, ProfileType: runtimeapi.SecurityProfile_Unconfined,
}, },
expectedOldProfile: "unconfined",
}, { }, {
name: "localhost", name: "localhost",
podProfile: &v1.AppArmorProfile{ podProfile: &v1.AppArmorProfile{
@@ -396,6 +399,7 @@ func TestGetAppArmorProfile(t *testing.T) {
ProfileType: runtimeapi.SecurityProfile_Localhost, ProfileType: runtimeapi.SecurityProfile_Localhost,
LocalhostRef: "test", LocalhostRef: "test",
}, },
expectedOldProfile: "localhost/test",
}, { }, {
name: "invalid localhost", name: "invalid localhost",
podProfile: &v1.AppArmorProfile{ podProfile: &v1.AppArmorProfile{
@@ -424,7 +428,7 @@ func TestGetAppArmorProfile(t *testing.T) {
}, },
} }
actual, err := getAppArmorProfile(&pod, &pod.Spec.Containers[0]) actual, actualOld, err := getAppArmorProfile(&pod, &pod.Spec.Containers[0])
if test.expectError { if test.expectError {
assert.Error(t, err) assert.Error(t, err)
@@ -432,7 +436,8 @@ func TestGetAppArmorProfile(t *testing.T) {
assert.NoError(t, err) assert.NoError(t, err)
} }
assert.Equal(t, test.expectedProfile, actual) assert.Equal(t, test.expectedProfile, actual, "AppArmor profile")
assert.Equal(t, test.expectedOldProfile, actualOld, "old (deprecated) profile string")
}) })
} }
} }

2
pkg/kubelet/kuberuntime/security_context.go
View File

@@ -41,7 +41,7 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
} }
// set ApparmorProfile. // set ApparmorProfile.
synthesized.Apparmor, err = getAppArmorProfile(pod, container) synthesized.Apparmor, synthesized.ApparmorProfile, err = getAppArmorProfile(pod, container)
if err != nil { if err != nil {
return nil, err return nil, err
} }