Keep providing the deprecated AppArmor CRI API for runtimes that haven't migrated

2025-08-06 10:43:56 +00:00 · 2024-03-07 15:00:07 -08:00 · 2024-03-07 15:00:07 -08:00 · 04ac13b6b7
commit 04ac13b6b7
parent cc6d9b3037
3 changed files with 32 additions and 17 deletions
--- a/pkg/kubelet/kuberuntime/helpers.go
+++ b/pkg/kubelet/kuberuntime/helpers.go
@ -288,34 +288,44 @@ func (m *kubeGenericRuntimeManager) getSeccompProfile(annotations map[string]str
 	}, nil
 }

-func getAppArmorProfile(pod *v1.Pod, container *v1.Container) (*runtimeapi.SecurityProfile, error) {
+func getAppArmorProfile(pod *v1.Pod, container *v1.Container) (*runtimeapi.SecurityProfile, string, error) {
 	profile := apparmor.GetProfile(pod, container)
 	if profile == nil {
-		return nil, nil
+		return nil, "", nil
 	}

+	var (
+		securityProfile   *runtimeapi.SecurityProfile
+		deprecatedProfile string // Deprecated apparmor profile format, still provided for backwards compatibility with older runtimes.
+	)
+
 	switch profile.Type {
 	case v1.AppArmorProfileTypeRuntimeDefault:
-		return &runtimeapi.SecurityProfile{
+		securityProfile = &runtimeapi.SecurityProfile{
 			ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
-		}, nil
+		}
+		deprecatedProfile = v1.DeprecatedAppArmorBetaProfileRuntimeDefault

 	case v1.AppArmorProfileTypeUnconfined:
-		return &runtimeapi.SecurityProfile{
+		securityProfile = &runtimeapi.SecurityProfile{
 			ProfileType: runtimeapi.SecurityProfile_Unconfined,
-		}, nil
+		}
+		deprecatedProfile = v1.DeprecatedAppArmorBetaProfileNameUnconfined

 	case v1.AppArmorProfileTypeLocalhost:
 		if profile.LocalhostProfile == nil {
-			return nil, errors.New("missing localhost apparmor profile name")
+			return nil, "", errors.New("missing localhost apparmor profile name")
 		}
-		return &runtimeapi.SecurityProfile{
+		securityProfile = &runtimeapi.SecurityProfile{
 			ProfileType:  runtimeapi.SecurityProfile_Localhost,
 			LocalhostRef: *profile.LocalhostProfile,
-		}, nil
+		}
+		deprecatedProfile = v1.DeprecatedAppArmorBetaProfileNamePrefix + *profile.LocalhostProfile

 	default:
 		// Shouldn't happen.
-		return nil, fmt.Errorf("unknown apparmor profile type: %q", profile.Type)
+		return nil, "", fmt.Errorf("unknown apparmor profile type: %q", profile.Type)
 	}
+
+	return securityProfile, deprecatedProfile, nil
 }
--- a/pkg/kubelet/kuberuntime/helpers_test.go
+++ b/pkg/kubelet/kuberuntime/helpers_test.go
@ -367,10 +367,11 @@ func TestToKubeContainerState(t *testing.T) {

 func TestGetAppArmorProfile(t *testing.T) {
 	tests := []struct {
-		name            string
-		podProfile      *v1.AppArmorProfile
-		expectedProfile *runtimeapi.SecurityProfile
-		expectError     bool
+		name               string
+		podProfile         *v1.AppArmorProfile
+		expectedProfile    *runtimeapi.SecurityProfile
+		expectedOldProfile string
+		expectError        bool
 	}{{
 		name:            "no appArmor",
 		expectedProfile: nil,
@ -380,12 +381,14 @@ func TestGetAppArmorProfile(t *testing.T) {
 		expectedProfile: &runtimeapi.SecurityProfile{
 			ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
 		},
+		expectedOldProfile: "runtime/default",
 	}, {
 		name:       "unconfined",
 		podProfile: &v1.AppArmorProfile{Type: v1.AppArmorProfileTypeUnconfined},
 		expectedProfile: &runtimeapi.SecurityProfile{
 			ProfileType: runtimeapi.SecurityProfile_Unconfined,
 		},
+		expectedOldProfile: "unconfined",
 	}, {
 		name: "localhost",
 		podProfile: &v1.AppArmorProfile{
@ -396,6 +399,7 @@ func TestGetAppArmorProfile(t *testing.T) {
 			ProfileType:  runtimeapi.SecurityProfile_Localhost,
 			LocalhostRef: "test",
 		},
+		expectedOldProfile: "localhost/test",
 	}, {
 		name: "invalid localhost",
 		podProfile: &v1.AppArmorProfile{
@ -424,7 +428,7 @@ func TestGetAppArmorProfile(t *testing.T) {
 				},
 			}

-			actual, err := getAppArmorProfile(&pod, &pod.Spec.Containers[0])
+			actual, actualOld, err := getAppArmorProfile(&pod, &pod.Spec.Containers[0])

 			if test.expectError {
 				assert.Error(t, err)
@ -432,7 +436,8 @@ func TestGetAppArmorProfile(t *testing.T) {
 				assert.NoError(t, err)
 			}

-			assert.Equal(t, test.expectedProfile, actual)
+			assert.Equal(t, test.expectedProfile, actual, "AppArmor profile")
+			assert.Equal(t, test.expectedOldProfile, actualOld, "old (deprecated) profile string")
 		})
 	}
 }
--- a/pkg/kubelet/kuberuntime/security_context.go
+++ b/pkg/kubelet/kuberuntime/security_context.go
@ -41,7 +41,7 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
 	}

 	// set ApparmorProfile.
-	synthesized.Apparmor, err = getAppArmorProfile(pod, container)
+	synthesized.Apparmor, synthesized.ApparmorProfile, err = getAppArmorProfile(pod, container)
 	if err != nil {
 		return nil, err
 	}