scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-10-30 17:58:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Rename AppArmor annotation constants with Deprecated

Browse Source
This commit is contained in:
Tim Allclair
2024-03-04 10:06:42 -08:00
parent ec325b328d
commit 0eb5f52d06
16 changed files with 123 additions and 123 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/api/pod/util.go
View File

@@ -541,7 +541,7 @@ func dropDisabledFields(
if !utilfeature.DefaultFeatureGate.Enabled(features.AppArmor) && !appArmorInUse(oldPodAnnotations, oldPodSpec) {
for k := range podAnnotations {
if strings.HasPrefix(k, api.AppArmorContainerAnnotationKeyPrefix) {
if strings.HasPrefix(k, api.DeprecatedAppArmorAnnotationKeyPrefix) {
delete(podAnnotations, k)
}
}
@@ -954,7 +954,7 @@ func appArmorInUse(podAnnotations map[string]string, podSpec *api.PodSpec) bool
}
for k := range podAnnotations {
if strings.HasPrefix(k, api.AppArmorContainerAnnotationKeyPrefix) {
if strings.HasPrefix(k, api.DeprecatedAppArmorAnnotationKeyPrefix) {
return true
}
}

2
pkg/api/pod/util_test.go
View File

@@ -714,7 +714,7 @@ func TestDropAppArmor(t *testing.T) {
description: "with AppArmor Annotations",
hasAppArmor: true,
pod: api.Pod{
ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{"a": "1", v1.AppArmorBetaContainerAnnotationKeyPrefix + "foo": "default"}},
ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{"a": "1", v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "foo": "default"}},
Spec: api.PodSpec{},
},
}, {

16
pkg/apis/core/annotation_key_constants.go
View File

@@ -52,18 +52,18 @@ const (
// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
DeprecatedSeccompProfileDockerDefault string = "docker/default"
// AppArmorContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile.
// DeprecatedAppArmorAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile.
// Deprecated: use a pod or container security context `appArmorProfile` field instead.
AppArmorContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
DeprecatedAppArmorAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
// AppArmorProfileRuntimeDefault is the profile specifying the runtime default.
AppArmorProfileRuntimeDefault = "runtime/default"
// DeprecatedAppArmorAnnotationValueRuntimeDefault is the profile specifying the runtime default.
DeprecatedAppArmorAnnotationValueRuntimeDefault = "runtime/default"
// AppArmorProfileLocalhostPrefix is the prefix for specifying profiles loaded on the node.
AppArmorProfileLocalhostPrefix = "localhost/"
// DeprecatedAppArmorAnnotationValueLocalhostPrefix is the prefix for specifying profiles loaded on the node.
DeprecatedAppArmorAnnotationValueLocalhostPrefix = "localhost/"
// AppArmorProfileNameUnconfined is the Unconfined AppArmor profile
AppArmorProfileNameUnconfined = "unconfined"
// DeprecatedAppArmorAnnotationValueUnconfined is the Unconfined AppArmor profile
DeprecatedAppArmorAnnotationValueUnconfined = "unconfined"
// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
// in the Annotations of a Node.

22
pkg/apis/core/validation/validation.go
View File

@@ -204,7 +204,7 @@ func ValidatePodSpecificAnnotationUpdates(newPod, oldPod *core.Pod, fldPath *fie
if newVal, exists := newAnnotations[k]; exists && newVal == oldVal {
continue // No change.
}
if strings.HasPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix) {
if strings.HasPrefix(k, v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) {
allErrs = append(allErrs, field.Forbidden(fldPath.Key(k), "may not remove or update AppArmor annotations"))
}
if k == core.MirrorPodAnnotationKey {
@@ -216,7 +216,7 @@ func ValidatePodSpecificAnnotationUpdates(newPod, oldPod *core.Pod, fldPath *fie
if _, ok := oldAnnotations[k]; ok {
continue // No change.
}
if strings.HasPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix) {
if strings.HasPrefix(k, v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) {
allErrs = append(allErrs, field.Forbidden(fldPath.Key(k), "may not add AppArmor annotations"))
}
if k == core.MirrorPodAnnotationKey {
@@ -4703,10 +4703,10 @@ func validateAppArmorProfileField(profile *core.AppArmorProfile, fldPath *field.
func ValidateAppArmorPodAnnotations(annotations map[string]string, spec *core.PodSpec, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
for k, p := range annotations {
if !strings.HasPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix) {
if !strings.HasPrefix(k, v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) {
continue
}
containerName := strings.TrimPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix)
containerName := strings.TrimPrefix(k, v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix)
if !podSpecHasContainer(spec, containerName) {
allErrs = append(allErrs, field.Invalid(fldPath.Key(k), containerName, "container not found"))
}
@@ -4720,10 +4720,10 @@ func ValidateAppArmorPodAnnotations(annotations map[string]string, spec *core.Po
}
func ValidateAppArmorProfileFormat(profile string) error {
if profile == "" || profile == v1.AppArmorBetaProfileRuntimeDefault || profile == v1.AppArmorBetaProfileNameUnconfined {
if profile == "" || profile == v1.DeprecatedAppArmorBetaProfileRuntimeDefault || profile == v1.DeprecatedAppArmorBetaProfileNameUnconfined {
return nil
}
if !strings.HasPrefix(profile, v1.AppArmorBetaProfileNamePrefix) {
if !strings.HasPrefix(profile, v1.DeprecatedAppArmorBetaProfileNamePrefix) {
return fmt.Errorf("invalid AppArmor profile name: %q", profile)
}
return nil
@@ -4752,25 +4752,25 @@ func validateAppArmorAnnotationsAndFieldsMatchOnCreate(objectMeta metav1.ObjectM
return true
}
key := core.AppArmorContainerAnnotationKeyPrefix + c.Name
key := core.DeprecatedAppArmorAnnotationKeyPrefix + c.Name
if annotation, found := objectMeta.Annotations[key]; found {
apparmorPath := cFldPath.Child("securityContext").Child("appArmorProfile")
switch containerProfile.Type {
case core.AppArmorProfileTypeUnconfined:
if annotation != core.AppArmorProfileNameUnconfined {
if annotation != core.DeprecatedAppArmorAnnotationValueUnconfined {
allErrs = append(allErrs, field.Forbidden(apparmorPath.Child("type"), "apparmor type in annotation and field must match"))
}
case core.AppArmorProfileTypeRuntimeDefault:
if annotation != core.AppArmorProfileRuntimeDefault {
if annotation != core.DeprecatedAppArmorAnnotationValueRuntimeDefault {
allErrs = append(allErrs, field.Forbidden(apparmorPath.Child("type"), "apparmor type in annotation and field must match"))
}
case core.AppArmorProfileTypeLocalhost:
if !strings.HasPrefix(annotation, core.AppArmorProfileLocalhostPrefix) {
if !strings.HasPrefix(annotation, core.DeprecatedAppArmorAnnotationValueLocalhostPrefix) {
allErrs = append(allErrs, field.Forbidden(apparmorPath.Child("type"), "apparmor type in annotation and field must match"))
} else if containerProfile.LocalhostProfile == nil || strings.TrimPrefix(annotation, core.AppArmorProfileLocalhostPrefix) != *containerProfile.LocalhostProfile {
} else if containerProfile.LocalhostProfile == nil || strings.TrimPrefix(annotation, core.DeprecatedAppArmorAnnotationValueLocalhostPrefix) != *containerProfile.LocalhostProfile {
allErrs = append(allErrs, field.Forbidden(apparmorPath.Child("localhostProfile"), "apparmor profile in annotation and field must match"))
}
}

10
pkg/apis/core/validation/validation_test.go
View File

@@ -10430,7 +10430,7 @@ func TestValidatePod(t *testing.T) {
Name: "123",
Namespace: "ns",
Annotations: map[string]string{
core.AppArmorContainerAnnotationKeyPrefix + "ctr": core.AppArmorProfileLocalhostPrefix + "foo",
core.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": core.DeprecatedAppArmorAnnotationValueLocalhostPrefix + "foo",
},
},
Spec: core.PodSpec{
@@ -10451,7 +10451,7 @@ func TestValidatePod(t *testing.T) {
Name: "123",
Namespace: "ns",
Annotations: map[string]string{
core.AppArmorContainerAnnotationKeyPrefix + "ctr": core.AppArmorProfileLocalhostPrefix + "foo",
core.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": core.DeprecatedAppArmorAnnotationValueLocalhostPrefix + "foo",
},
},
Spec: core.PodSpec{
@@ -12166,7 +12166,7 @@ func TestValidatePod(t *testing.T) {
Name: "123",
Namespace: "ns",
Annotations: map[string]string{
core.AppArmorContainerAnnotationKeyPrefix + "ctr": core.AppArmorProfileRuntimeDefault,
core.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": core.DeprecatedAppArmorAnnotationValueRuntimeDefault,
},
},
Spec: core.PodSpec{
@@ -12189,7 +12189,7 @@ func TestValidatePod(t *testing.T) {
Name: "123",
Namespace: "ns",
Annotations: map[string]string{
core.AppArmorContainerAnnotationKeyPrefix + "ctr": core.AppArmorProfileRuntimeDefault,
core.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": core.DeprecatedAppArmorAnnotationValueRuntimeDefault,
},
},
Spec: core.PodSpec{
@@ -12211,7 +12211,7 @@ func TestValidatePod(t *testing.T) {
Name: "123",
Namespace: "ns",
Annotations: map[string]string{
core.AppArmorContainerAnnotationKeyPrefix + "ctr": core.AppArmorProfileLocalhostPrefix + "foo",
core.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": core.DeprecatedAppArmorAnnotationValueLocalhostPrefix + "foo",
},
},
Spec: core.PodSpec{

16
pkg/registry/core/pod/strategy.go
View File

@@ -777,7 +777,7 @@ func applyAppArmorVersionSkew(pod *api.Pod) {
podutil.VisitContainers(&pod.Spec, podutil.AllFeatureEnabledContainers(),
func(ctr *api.Container, _ podutil.ContainerType) bool {
// get possible annotation and field
key := api.AppArmorContainerAnnotationKeyPrefix + ctr.Name
key := api.DeprecatedAppArmorAnnotationKeyPrefix + ctr.Name
annotation, hasAnnotation := pod.Annotations[key]
var containerProfile *api.AppArmorProfile
@@ -824,14 +824,14 @@ func appArmorAnnotationForField(field *api.AppArmorProfile) string {
// trails the API version
switch field.Type {
case api.AppArmorProfileTypeUnconfined:
return api.AppArmorProfileNameUnconfined
return api.DeprecatedAppArmorAnnotationValueUnconfined
case api.AppArmorProfileTypeRuntimeDefault:
return api.AppArmorProfileRuntimeDefault
return api.DeprecatedAppArmorAnnotationValueRuntimeDefault
case api.AppArmorProfileTypeLocalhost:
if field.LocalhostProfile != nil {
return api.AppArmorProfileLocalhostPrefix + *field.LocalhostProfile
return api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + *field.LocalhostProfile
}
}
@@ -844,16 +844,16 @@ func appArmorAnnotationForField(field *api.AppArmorProfile) string {
// apparmorFieldForAnnotation takes a pod annotation and returns the converted
// apparmor profile field.
func apparmorFieldForAnnotation(annotation string) *api.AppArmorProfile {
if annotation == api.AppArmorProfileNameUnconfined {
if annotation == api.DeprecatedAppArmorAnnotationValueUnconfined {
return &api.AppArmorProfile{Type: api.AppArmorProfileTypeUnconfined}
}
if annotation == api.AppArmorProfileRuntimeDefault {
if annotation == api.DeprecatedAppArmorAnnotationValueRuntimeDefault {
return &api.AppArmorProfile{Type: api.AppArmorProfileTypeRuntimeDefault}
}
if strings.HasPrefix(annotation, api.AppArmorProfileLocalhostPrefix) {
localhostProfile := strings.TrimPrefix(annotation, api.AppArmorProfileLocalhostPrefix)
if strings.HasPrefix(annotation, api.DeprecatedAppArmorAnnotationValueLocalhostPrefix) {
localhostProfile := strings.TrimPrefix(annotation, api.DeprecatedAppArmorAnnotationValueLocalhostPrefix)
if localhostProfile != "" {
return &api.AppArmorProfile{
Type: api.AppArmorProfileTypeLocalhost,

78
pkg/registry/core/pod/strategy_test.go
View File

@@ -2155,8 +2155,8 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileNameUnconfined,
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined,
api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueUnconfined,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined,
}, pod.Annotations)
},
}, {
@@ -2174,8 +2174,8 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileRuntimeDefault,
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault,
api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
}, pod.Annotations)
},
}, {
@@ -2194,8 +2194,8 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileLocalhostPrefix + testProfile,
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileLocalhostPrefix + testProfile,
api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile,
}, pod.Annotations)
},
}, {
@@ -2243,7 +2243,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
}, pod.Annotations)
assert.Nil(t, pod.Spec.SecurityContext)
assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
@@ -2265,7 +2265,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileLocalhostPrefix + testProfile,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile,
}, pod.Annotations)
assert.Nil(t, pod.Spec.SecurityContext)
assert.Equal(t, api.AppArmorProfileTypeLocalhost, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
@@ -2291,7 +2291,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined,
}, pod.Annotations)
assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.SecurityContext.AppArmorProfile.Type)
assert.Equal(t, api.AppArmorProfileTypeUnconfined, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
@@ -2330,9 +2330,9 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileLocalhostPrefix + testProfile,
api.AppArmorContainerAnnotationKeyPrefix + "a": api.AppArmorProfileNameUnconfined,
api.AppArmorContainerAnnotationKeyPrefix + "c": api.AppArmorProfileRuntimeDefault,
api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile,
api.DeprecatedAppArmorAnnotationKeyPrefix + "a": api.DeprecatedAppArmorAnnotationValueUnconfined,
api.DeprecatedAppArmorAnnotationKeyPrefix + "c": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
}, pod.Annotations)
assert.Nil(t, pod.Spec.SecurityContext)
assert.Equal(t, api.AppArmorProfileTypeLocalhost, pod.Spec.InitContainers[0].SecurityContext.AppArmorProfile.Type)
@@ -2345,7 +2345,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
pod: &api.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined,
},
},
Spec: api.PodSpec{
@@ -2354,7 +2354,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined,
}, pod.Annotations)
assert.Equal(t, api.AppArmorProfileTypeUnconfined, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
assert.Nil(t, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.LocalhostProfile)
@@ -2365,7 +2365,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
pod: &api.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "foo-bar": api.AppArmorProfileNameUnconfined,
api.DeprecatedAppArmorAnnotationKeyPrefix + "foo-bar": api.DeprecatedAppArmorAnnotationValueUnconfined,
},
},
Spec: api.PodSpec{
@@ -2374,7 +2374,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "foo-bar": api.AppArmorProfileNameUnconfined,
api.DeprecatedAppArmorAnnotationKeyPrefix + "foo-bar": api.DeprecatedAppArmorAnnotationValueUnconfined,
}, pod.Annotations)
assert.Nil(t, pod.Spec.Containers[0].SecurityContext)
assert.Nil(t, pod.Spec.SecurityContext)
@@ -2384,7 +2384,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
pod: &api.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
},
},
Spec: api.PodSpec{
@@ -2401,7 +2401,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
}, pod.Annotations)
assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
assert.Nil(t, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.LocalhostProfile)
@@ -2412,9 +2412,9 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
pod: &api.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileNameUnconfined,
api.AppArmorContainerAnnotationKeyPrefix + "a": api.AppArmorProfileLocalhostPrefix + testProfile,
api.AppArmorContainerAnnotationKeyPrefix + "c": api.AppArmorProfileRuntimeDefault,
api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueUnconfined,
api.DeprecatedAppArmorAnnotationKeyPrefix + "a": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile,
api.DeprecatedAppArmorAnnotationKeyPrefix + "c": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
},
},
Spec: api.PodSpec{
@@ -2433,10 +2433,10 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileNameUnconfined,
api.AppArmorContainerAnnotationKeyPrefix + "a": api.AppArmorProfileLocalhostPrefix + testProfile,
api.AppArmorContainerAnnotationKeyPrefix + "b": api.AppArmorProfileRuntimeDefault,
api.AppArmorContainerAnnotationKeyPrefix + "c": api.AppArmorProfileRuntimeDefault,
api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueUnconfined,
api.DeprecatedAppArmorAnnotationKeyPrefix + "a": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile,
api.DeprecatedAppArmorAnnotationKeyPrefix + "b": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
api.DeprecatedAppArmorAnnotationKeyPrefix + "c": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
}, pod.Annotations)
assert.Equal(t, api.AppArmorProfileTypeUnconfined, pod.Spec.InitContainers[0].SecurityContext.AppArmorProfile.Type)
assert.Equal(t, api.AppArmorProfileTypeLocalhost, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
@@ -2450,7 +2450,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
pod: &api.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileLocalhostPrefix + testProfile,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile,
},
},
Spec: api.PodSpec{
@@ -2466,7 +2466,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileLocalhostPrefix + testProfile,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile,
}, pod.Annotations)
assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
assert.Nil(t, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.LocalhostProfile)
@@ -2477,7 +2477,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
pod: &api.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
},
},
Spec: api.PodSpec{
@@ -2493,7 +2493,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
}, pod.Annotations)
assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.SecurityContext.AppArmorProfile.Type)
// Annotation shouldn't be synced to container security context
@@ -2504,7 +2504,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
pod: &api.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined,
},
},
Spec: api.PodSpec{
@@ -2520,7 +2520,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined,
}, pod.Annotations)
assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.SecurityContext.AppArmorProfile.Type)
assert.Equal(t, api.AppArmorProfileTypeUnconfined, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
@@ -2530,7 +2530,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
pod: &api.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "unconf-annot": api.AppArmorProfileNameUnconfined,
api.DeprecatedAppArmorAnnotationKeyPrefix + "unconf-annot": api.DeprecatedAppArmorAnnotationValueUnconfined,
},
},
Spec: api.PodSpec{
@@ -2555,9 +2555,9 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "unconf-annot": api.AppArmorProfileNameUnconfined,
api.AppArmorContainerAnnotationKeyPrefix + "unconf-field": api.AppArmorProfileNameUnconfined,
api.AppArmorContainerAnnotationKeyPrefix + "default-pod": api.AppArmorProfileRuntimeDefault,
api.DeprecatedAppArmorAnnotationKeyPrefix + "unconf-annot": api.DeprecatedAppArmorAnnotationValueUnconfined,
api.DeprecatedAppArmorAnnotationKeyPrefix + "unconf-field": api.DeprecatedAppArmorAnnotationValueUnconfined,
api.DeprecatedAppArmorAnnotationKeyPrefix + "default-pod": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
}, pod.Annotations)
assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.SecurityContext.AppArmorProfile.Type)
assert.Equal(t, api.AppArmorProfileTypeUnconfined, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
@@ -2569,7 +2569,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
pod: &api.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": "not-a-real-type",
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": "not-a-real-type",
},
},
Spec: api.PodSpec{
@@ -2578,7 +2578,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": "not-a-real-type",
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": "not-a-real-type",
}, pod.Annotations)
assert.Nil(t, pod.Spec.Containers[0].SecurityContext)
assert.Nil(t, pod.Spec.SecurityContext)
@@ -2604,7 +2604,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
pod: &api.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
},
},
Spec: api.PodSpec{
@@ -2614,7 +2614,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) {
},
validation: func(t *testing.T, pod *api.Pod) {
assert.Equal(t, map[string]string{
api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault,
api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault,
}, pod.Annotations)
assert.Nil(t, pod.Spec.Containers[0].SecurityContext)
},

14
pkg/security/apparmor/helpers.go
View File

@@ -43,8 +43,8 @@ func isRequired(pod *v1.Pod) bool {
}
for key, value := range pod.Annotations {
if strings.HasPrefix(key, v1.AppArmorBetaContainerAnnotationKeyPrefix) {
return value != v1.AppArmorBetaProfileNameUnconfined
if strings.HasPrefix(key, v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) {
return value != v1.DeprecatedAppArmorBetaProfileNameUnconfined
}
}
return false
@@ -72,21 +72,21 @@ func GetProfile(pod *v1.Pod, container *v1.Container) *v1.AppArmorProfile {
// getProfileFromPodAnnotations gets the AppArmor profile to use with container from
// (deprecated) pod annotations.
func getProfileFromPodAnnotations(annotations map[string]string, containerName string) *v1.AppArmorProfile {
val, ok := annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+containerName]
val, ok := annotations[v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+containerName]
if !ok {
return nil
}
switch {
case val == v1.AppArmorBetaProfileRuntimeDefault:
case val == v1.DeprecatedAppArmorBetaProfileRuntimeDefault:
return &v1.AppArmorProfile{Type: v1.AppArmorProfileTypeRuntimeDefault}
case val == v1.AppArmorBetaProfileNameUnconfined:
case val == v1.DeprecatedAppArmorBetaProfileNameUnconfined:
return &v1.AppArmorProfile{Type: v1.AppArmorProfileTypeUnconfined}
case strings.HasPrefix(val, v1.AppArmorBetaProfileNamePrefix):
case strings.HasPrefix(val, v1.DeprecatedAppArmorBetaProfileNamePrefix):
// Note: an invalid empty localhost profile will be rejected by kubelet admission.
profileName := strings.TrimPrefix(val, v1.AppArmorBetaProfileNamePrefix)
profileName := strings.TrimPrefix(val, v1.DeprecatedAppArmorBetaProfileNamePrefix)
return &v1.AppArmorProfile{
Type: v1.AppArmorProfileTypeLocalhost,
LocalhostProfile: &profileName,

12
pkg/security/apparmor/helpers_test.go
View File

@@ -52,7 +52,7 @@ func TestGetProfile(t *testing.T) {
expectedProfile: unconfined,
}, {
name: "annotation profile",
annotationProfile: v1.AppArmorBetaProfileNamePrefix + "test",
annotationProfile: v1.DeprecatedAppArmorBetaProfileNamePrefix + "test",
expectedProfile: localhost,
}, {
name: "invalid annotation",
@@ -65,7 +65,7 @@ func TestGetProfile(t *testing.T) {
expectedProfile: runtimeDefault,
}, {
name: "container field before annotation",
annotationProfile: v1.AppArmorBetaProfileNameUnconfined,
annotationProfile: v1.DeprecatedAppArmorBetaProfileNameUnconfined,
containerProfile: runtimeDefault,
expectedProfile: runtimeDefault,
}, {
@@ -75,12 +75,12 @@ func TestGetProfile(t *testing.T) {
expectedProfile: runtimeDefault,
}, {
name: "annotation before pod field",
annotationProfile: v1.AppArmorBetaProfileNameUnconfined,
annotationProfile: v1.DeprecatedAppArmorBetaProfileNameUnconfined,
podProfile: runtimeDefault,
expectedProfile: unconfined,
}, {
name: "all profiles",
annotationProfile: v1.AppArmorBetaProfileRuntimeDefault,
annotationProfile: v1.DeprecatedAppArmorBetaProfileRuntimeDefault,
containerProfile: localhost,
podProfile: unconfined,
expectedProfile: localhost,
@@ -101,7 +101,7 @@ func TestGetProfile(t *testing.T) {
Name: "bar",
Annotations: map[string]string{
"unrelated": "baz",
v1.AppArmorBetaContainerAnnotationKeyPrefix + "other": v1.AppArmorBetaProfileRuntimeDefault,
v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "other": v1.DeprecatedAppArmorBetaProfileRuntimeDefault,
},
},
Spec: v1.PodSpec{
@@ -109,7 +109,7 @@ func TestGetProfile(t *testing.T) {
},
}
if test.annotationProfile != "" {
pod.Annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+container.Name] = test.annotationProfile
pod.Annotations[v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+container.Name] = test.annotationProfile
}
if test.podProfile != nil {
pod.Spec.SecurityContext = &v1.PodSecurityContext{

24
pkg/security/apparmor/validate_test.go
View File

@@ -38,8 +38,8 @@ func TestValidateBadHost(t *testing.T) {
expectValid bool
}{
{"", true},
{v1.AppArmorBetaProfileRuntimeDefault, false},
{v1.AppArmorBetaProfileNamePrefix + "docker-default", false},
{v1.DeprecatedAppArmorBetaProfileRuntimeDefault, false},
{v1.DeprecatedAppArmorBetaProfileNamePrefix + "docker-default", false},
}
for _, test := range tests {
@@ -60,12 +60,12 @@ func TestValidateValidHost(t *testing.T) {
expectValid bool
}{
{"", true},
{v1.AppArmorBetaProfileRuntimeDefault, true},
{v1.AppArmorBetaProfileNamePrefix + "docker-default", true},
{v1.AppArmorBetaProfileNamePrefix + "foo-container", true},
{v1.AppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true},
{v1.AppArmorBetaProfileNamePrefix + "", false}, // Empty profile explicitly forbidden.
{v1.AppArmorBetaProfileNamePrefix + " ", false},
{v1.DeprecatedAppArmorBetaProfileRuntimeDefault, true},
{v1.DeprecatedAppArmorBetaProfileNamePrefix + "docker-default", true},
{v1.DeprecatedAppArmorBetaProfileNamePrefix + "foo-container", true},
{v1.DeprecatedAppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true},
{v1.DeprecatedAppArmorBetaProfileNamePrefix + "", false}, // Empty profile explicitly forbidden.
{v1.DeprecatedAppArmorBetaProfileNamePrefix + " ", false},
}
for _, test := range tests {
@@ -81,9 +81,9 @@ func TestValidateValidHost(t *testing.T) {
pod := &v1.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
v1.AppArmorBetaContainerAnnotationKeyPrefix + "init": v1.AppArmorBetaProfileNamePrefix + "foo-container",
v1.AppArmorBetaContainerAnnotationKeyPrefix + "test1": v1.AppArmorBetaProfileRuntimeDefault,
v1.AppArmorBetaContainerAnnotationKeyPrefix + "test2": v1.AppArmorBetaProfileNamePrefix + "docker-default",
v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "init": v1.DeprecatedAppArmorBetaProfileNamePrefix + "foo-container",
v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test1": v1.DeprecatedAppArmorBetaProfileRuntimeDefault,
v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test2": v1.DeprecatedAppArmorBetaProfileNamePrefix + "docker-default",
},
},
Spec: v1.PodSpec{
@@ -102,7 +102,7 @@ func TestValidateValidHost(t *testing.T) {
func getPodWithProfile(profile string) *v1.Pod {
annotations := map[string]string{
v1.AppArmorBetaContainerAnnotationKeyPrefix + "test": profile,
v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test": profile,
}
if profile == "" {
annotations = map[string]string{

16
staging/src/k8s.io/api/core/v1/annotation_key_constants.go
View File

@@ -54,18 +54,18 @@ const (
// SeccompLocalhostProfileNamePrefix is the prefix for specifying profiles loaded from the node's disk.
SeccompLocalhostProfileNamePrefix = "localhost/"
// AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile.
// DeprecatedAppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile.
// Deprecated: use a pod or container security context `appArmorProfile` field instead.
AppArmorBetaContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
DeprecatedAppArmorBetaContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
// AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default.
AppArmorBetaProfileRuntimeDefault = "runtime/default"
// DeprecatedAppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default.
DeprecatedAppArmorBetaProfileRuntimeDefault = "runtime/default"
// AppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node.
AppArmorBetaProfileNamePrefix = "localhost/"
// DeprecatedAppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node.
DeprecatedAppArmorBetaProfileNamePrefix = "localhost/"
// AppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile
AppArmorBetaProfileNameUnconfined = "unconfined"
// DeprecatedAppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile
DeprecatedAppArmorBetaProfileNameUnconfined = "unconfined"
// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker.
// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.

6
staging/src/k8s.io/pod-security-admission/policy/check_appArmorProfile.go
View File

@@ -66,8 +66,8 @@ func CheckAppArmorProfile() Check {
func allowedAnnotationValue(profile string) bool {
return len(profile) == 0 ||
profile == corev1.AppArmorBetaProfileRuntimeDefault ||
strings.HasPrefix(profile, corev1.AppArmorBetaProfileNamePrefix)
profile == corev1.DeprecatedAppArmorBetaProfileRuntimeDefault ||
strings.HasPrefix(profile, corev1.DeprecatedAppArmorBetaProfileNamePrefix)
}
func allowedProfileType(profile corev1.AppArmorProfileType) bool {
@@ -114,7 +114,7 @@ func appArmorProfile_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec
var forbiddenAnnotations []string
for k, v := range podMetadata.Annotations {
if strings.HasPrefix(k, corev1.AppArmorBetaContainerAnnotationKeyPrefix) && !allowedAnnotationValue(v) {
if strings.HasPrefix(k, corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) && !allowedAnnotationValue(v) {
forbiddenAnnotations = append(forbiddenAnnotations, fmt.Sprintf("%s=%q", k, v))
}
}

4
staging/src/k8s.io/pod-security-admission/policy/check_appArmorProfile_test.go
View File

@@ -33,7 +33,7 @@ func TestCheckAppArmor_Allowed(t *testing.T) {
{
name: "container with default AppArmor + extra annotations",
metaData: &metav1.ObjectMeta{Annotations: map[string]string{
corev1.AppArmorBetaProfileNamePrefix + "test": "runtime/default",
corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test": "runtime/default",
"env": "prod",
}},
podSpec: &corev1.PodSpec{},
@@ -41,7 +41,7 @@ func TestCheckAppArmor_Allowed(t *testing.T) {
{
name: "container with local AppArmor + extra annotations",
metaData: &metav1.ObjectMeta{Annotations: map[string]string{
corev1.AppArmorBetaProfileNamePrefix + "test": "localhost/sec-profile01",
corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test": "localhost/sec-profile01",
"env": "dev",
}},
podSpec: &corev1.PodSpec{},

8
staging/src/k8s.io/pod-security-admission/test/fixtures_appArmorProfile.go
View File

@@ -32,10 +32,10 @@ func init() {
// container with localhost/foo annotation
tweak(pod, func(copy *corev1.Pod) {
containerName := copy.Spec.Containers[0].Name
copy.Annotations[corev1.AppArmorBetaContainerAnnotationKeyPrefix+containerName] = "runtime/default"
copy.Annotations[corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+containerName] = "runtime/default"
initContainerName := copy.Spec.Containers[0].Name
copy.Annotations[corev1.AppArmorBetaContainerAnnotationKeyPrefix+initContainerName] = "localhost/foo"
copy.Annotations[corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+initContainerName] = "localhost/foo"
}),
}
},
@@ -45,13 +45,13 @@ func init() {
// container with unconfined annotation
tweak(pod, func(copy *corev1.Pod) {
name := copy.Spec.Containers[0].Name
copy.Annotations[corev1.AppArmorBetaContainerAnnotationKeyPrefix+name] = "unconfined"
copy.Annotations[corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+name] = "unconfined"
}),
// initContainer with unconfined annotation
tweak(pod, func(copy *corev1.Pod) {
name := copy.Spec.InitContainers[0].Name
copy.Annotations[corev1.AppArmorBetaContainerAnnotationKeyPrefix+name] = "unconfined"
copy.Annotations[corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+name] = "unconfined"
}),
}
},

4
test/e2e/node/apparmor.go
View File

@@ -66,9 +66,9 @@ var _ = SIGDescribe("AppArmor", func() {
pod := e2esecurity.AppArmorTestPod(f.Namespace.Name, false, true)
// Move AppArmor profile to the annotations.
profile := pod.Spec.SecurityContext.AppArmorProfile
key := v1.AppArmorBetaContainerAnnotationKeyPrefix + pod.Spec.Containers[0].Name
key := v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + pod.Spec.Containers[0].Name
pod.Annotations = map[string]string{
key: v1.AppArmorBetaProfileNamePrefix + *profile.LocalhostProfile,
key: v1.DeprecatedAppArmorBetaProfileNamePrefix + *profile.LocalhostProfile,
}
pod.Spec.SecurityContext = nil

10
test/e2e_node/apparmor_test.go
View File

@@ -60,11 +60,11 @@ var _ = SIGDescribe("AppArmor", feature.AppArmor, nodefeature.AppArmor, func() {
f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
ginkgo.It("should reject an unloaded profile", func(ctx context.Context) {
status := runAppArmorTest(ctx, f, false, v1.AppArmorBetaProfileNamePrefix+"non-existent-profile")
status := runAppArmorTest(ctx, f, false, v1.DeprecatedAppArmorBetaProfileNamePrefix+"non-existent-profile")
gomega.Expect(status.ContainerStatuses[0].State.Waiting.Message).To(gomega.ContainSubstring("apparmor"))
})
ginkgo.It("should enforce a profile blocking writes", func(ctx context.Context) {
status := runAppArmorTest(ctx, f, true, v1.AppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"deny-write")
status := runAppArmorTest(ctx, f, true, v1.DeprecatedAppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"deny-write")
if len(status.ContainerStatuses) == 0 {
framework.Failf("Unexpected pod status: %s", dump.Pretty(status))
return
@@ -75,7 +75,7 @@ var _ = SIGDescribe("AppArmor", feature.AppArmor, nodefeature.AppArmor, func() {
})
ginkgo.It("should enforce a permissive profile", func(ctx context.Context) {
status := runAppArmorTest(ctx, f, true, v1.AppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"audit-write")
status := runAppArmorTest(ctx, f, true, v1.DeprecatedAppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"audit-write")
if len(status.ContainerStatuses) == 0 {
framework.Failf("Unexpected pod status: %s", dump.Pretty(status))
return
@@ -91,7 +91,7 @@ var _ = SIGDescribe("AppArmor", feature.AppArmor, nodefeature.AppArmor, func() {
f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
ginkgo.It("should reject a pod with an AppArmor profile", func(ctx context.Context) {
status := runAppArmorTest(ctx, f, false, v1.AppArmorBetaProfileRuntimeDefault)
status := runAppArmorTest(ctx, f, false, v1.DeprecatedAppArmorBetaProfileRuntimeDefault)
expectSoftRejection(status)
})
})
@@ -214,7 +214,7 @@ func createPodWithAppArmor(ctx context.Context, f *framework.Framework, profile
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("test-apparmor-%s", strings.Replace(profile, "/", "-", -1)),
Annotations: map[string]string{
v1.AppArmorBetaContainerAnnotationKeyPrefix + "test": profile,
v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test": profile,
},
},
Spec: v1.PodSpec{