github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
114,852 Commits 1 Branch 31 Tags 1,019 MiB
44159dfc32
Commit Graph

36 Commits

Author SHA1 Message Date
Sergey Kanzhelev
44159dfc32 AppArmor no reevaluation of host is needed 2023-03-14 18:35:01 +00:00
Freddie
3db6cc5b8b changes in NewValidator 2023-02-21 13:02:30 +05:30
Freddie
e33a4d656f changes in NewValidator 2023-02-21 11:43:51 +05:30
Freddie
02e6092087 made error nil 2023-02-21 11:24:39 +05:30
Freddie
10193062f0 undone last changes 2023-02-19 21:26:43 +05:30
Freddie
7db787e97c removed Validator.Validate Interface 2023-02-19 21:08:06 +05:30
Freddie
a31820bac9 rebased 2023-02-19 13:53:47 +05:30
Tim Allclair
5f2b12e0d4 Move AppArmor profile validation to the API validation pkg 2022-02-15 16:17:37 -08:00
Tim Allclair
f780889d4c Forbid empty AppArmor localhost profile 2022-02-15 14:46:51 -08:00
yanghesong
b4f6eb681c Remove runtime in validate 
Validate is useless as dockershim is removed

Signed-off-by: yanghesong <hesong.yang@foxmail.com>
 2022-01-09 09:19:31 +08:00
yanghesong
6905fef761 Remove runtime in validate 
Validate is useless as dockershim is removed

Signed-off-by: yanghesong <hesong.yang@foxmail.com>
 2022-01-09 09:11:49 +08:00
Kubernetes Prow Robot
a90961aac0
Merge pull request #97966 from saschagrunert/apparmor-init-unconfined 
Remove AppArmor loaded profile validation
 2022-01-04 20:24:32 -08:00
Sascha Grunert
1f8c21166e
Remove AppArmor loaded profile validation 
In general it could be possible that init containers deploy security
profiles. The existing AppArmor pre-validation would block the complete
workload without this patch being applied. If we now schedule a
workload which contains an unconfined init container, then we will skip
the validation. The underlying container runtime will fail if the
profile is not available after the execution of the init container.

This synchronizes the overall behavior with seccomp.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
 2021-03-12 10:19:44 +01:00
Sascha Grunert
0d22571519
Remove check for apparmor_parser in AppArmor host validation 
The `apparmor_parser` binary is not really required for a system to run
AppArmor from a Kubernetes perspective. How to apply the profile is more
in the responsibility of lower level runtimes like CRI-O and containerd,
which may do the binary check on their own.

This synchronizes the current libcontainer implementation with the
vendored Kubernetes source code and allows distributions to use
AppArmor, even when they do not have the parser available in
`/sbin/apparmor_parser`.

Signed-off-by: Sascha Grunert <mail@saschagrunert.de>
 2021-03-02 18:40:14 +01:00
Andrew Sy Kim
2e56866c97 move apparmor annotation constants to k8s.io/api/core/v1 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2020-04-06 10:22:04 -04:00
Shihang Zhang
b56da85a77 sync api/v1/pod/util with api/pod/util and remove DefaultContainers 2020-03-24 16:42:32 -07:00
feifei.zhang@huawei.com
fdce8ef960 fix golint failures of pkg/security/apparmor 2019-11-05 18:56:15 +08:00
Hongwei Yu
65f2280a38 Optimizing some format problems (#82983) 
* modify the error string

* omit redundant type bool from variable declarations
 2019-11-01 10:21:25 -07:00
Lee Verberne
ee821e2a04 Create helpers for iterating containers in a pod 2019-06-21 08:32:04 +00:00
Andrew Kim
84191eb99b replace pkg/util/file with k8s.io/utils/path 2019-01-29 15:20:13 -05:00
stepyu
6ac518e0df fix comments 2018-10-16 10:55:54 +08:00
Di Xu
5e96f7cae9 enable to specific unconfined AppArmor profile 2017-09-28 10:06:36 +08:00
Pengfei Ni
9dd589c035 Use constants instead of magic string for runtime names 2017-08-26 22:44:27 +08:00
Pengfei Ni
15b9871d50 Allow remote runtimes to pass apparmor host validation 2017-08-24 09:18:46 +08:00
xiangpengzhao
01daf707c5 Refactor: pkg/util into sub-pkgs 2017-07-18 14:34:08 +08:00
Chao Xu
60604f8818 run hack/update-all 2017-06-22 11:31:03 -07:00
Chao Xu
f4989a45a5 run root-rewrite-v1-..., compile 2017-06-22 10:25:57 -07:00
Dr. Stefan Schimanski
a6b2ebb50c pkg/flag: make feature gate extensible and split between generic and kube 2017-01-24 20:56:03 +01:00
Dr. Stefan Schimanski
56d60cfae6 pkg/util: move flags from pkg/util/config to pkg/util/flags 2017-01-24 20:56:03 +01:00
Chao Xu
4f3d0e3bde more dependencies packages: 
pkg/metrics
pkg/credentialprovider
pkg/security
pkg/securitycontext
pkg/serviceaccount
pkg/storage
pkg/fieldpath
 2016-11-23 15:53:09 -08:00
Tim St. Clair
3808243b9e
Append "AppArmor enabled" to the Node ready condition message 2016-08-31 09:27:47 -07:00
Tim St. Clair
9bde6f0770
Add AppArmor feature gate 2016-08-25 17:40:18 -07:00
Tim St. Clair
f94df59791
Remove apparmor dependency on pkg/kubelet/lifecycle 2016-08-21 20:59:11 -07:00
Tim St. Clair
db6629228f
Add AppArmor E2E test 2016-08-15 13:25:22 -07:00
Tim St. Clair
3c7896719b
Implement AppArmor Kubelet support 2016-08-15 13:25:17 -07:00
Tim St. Clair
bdc306bbfe
Add AppArmor validation logic 
The validation checks the prerequisites described in the [AppArmor
proposal](https://github.com/kubernetes/kubernetes/blob/master/docs/proposals/apparmor.md#prerequisites)
 2016-08-11 10:31:25 -07:00