diff --git a/pkg/api/pod/util.go b/pkg/api/pod/util.go index dc7d96ddb17..82853271bb4 100644 --- a/pkg/api/pod/util.go +++ b/pkg/api/pod/util.go @@ -541,7 +541,7 @@ func dropDisabledFields( if !utilfeature.DefaultFeatureGate.Enabled(features.AppArmor) && !appArmorInUse(oldPodAnnotations, oldPodSpec) { for k := range podAnnotations { - if strings.HasPrefix(k, api.AppArmorContainerAnnotationKeyPrefix) { + if strings.HasPrefix(k, api.DeprecatedAppArmorAnnotationKeyPrefix) { delete(podAnnotations, k) } } @@ -954,7 +954,7 @@ func appArmorInUse(podAnnotations map[string]string, podSpec *api.PodSpec) bool } for k := range podAnnotations { - if strings.HasPrefix(k, api.AppArmorContainerAnnotationKeyPrefix) { + if strings.HasPrefix(k, api.DeprecatedAppArmorAnnotationKeyPrefix) { return true } } diff --git a/pkg/api/pod/util_test.go b/pkg/api/pod/util_test.go index 81604556526..8a3139adf15 100644 --- a/pkg/api/pod/util_test.go +++ b/pkg/api/pod/util_test.go @@ -714,7 +714,7 @@ func TestDropAppArmor(t *testing.T) { description: "with AppArmor Annotations", hasAppArmor: true, pod: api.Pod{ - ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{"a": "1", v1.AppArmorBetaContainerAnnotationKeyPrefix + "foo": "default"}}, + ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{"a": "1", v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "foo": "default"}}, Spec: api.PodSpec{}, }, }, { diff --git a/pkg/apis/core/annotation_key_constants.go b/pkg/apis/core/annotation_key_constants.go index de7d73fa9d2..c97002e863a 100644 --- a/pkg/apis/core/annotation_key_constants.go +++ b/pkg/apis/core/annotation_key_constants.go @@ -52,18 +52,18 @@ const ( // Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead. DeprecatedSeccompProfileDockerDefault string = "docker/default" - // AppArmorContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile. + // DeprecatedAppArmorAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile. // Deprecated: use a pod or container security context `appArmorProfile` field instead. - AppArmorContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/" + DeprecatedAppArmorAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/" - // AppArmorProfileRuntimeDefault is the profile specifying the runtime default. - AppArmorProfileRuntimeDefault = "runtime/default" + // DeprecatedAppArmorAnnotationValueRuntimeDefault is the profile specifying the runtime default. + DeprecatedAppArmorAnnotationValueRuntimeDefault = "runtime/default" - // AppArmorProfileLocalhostPrefix is the prefix for specifying profiles loaded on the node. - AppArmorProfileLocalhostPrefix = "localhost/" + // DeprecatedAppArmorAnnotationValueLocalhostPrefix is the prefix for specifying profiles loaded on the node. + DeprecatedAppArmorAnnotationValueLocalhostPrefix = "localhost/" - // AppArmorProfileNameUnconfined is the Unconfined AppArmor profile - AppArmorProfileNameUnconfined = "unconfined" + // DeprecatedAppArmorAnnotationValueUnconfined is the Unconfined AppArmor profile + DeprecatedAppArmorAnnotationValueUnconfined = "unconfined" // PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized) // in the Annotations of a Node. diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go index 35d1eb7ddc6..003746c3185 100644 --- a/pkg/apis/core/validation/validation.go +++ b/pkg/apis/core/validation/validation.go @@ -204,7 +204,7 @@ func ValidatePodSpecificAnnotationUpdates(newPod, oldPod *core.Pod, fldPath *fie if newVal, exists := newAnnotations[k]; exists && newVal == oldVal { continue // No change. } - if strings.HasPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix) { + if strings.HasPrefix(k, v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) { allErrs = append(allErrs, field.Forbidden(fldPath.Key(k), "may not remove or update AppArmor annotations")) } if k == core.MirrorPodAnnotationKey { @@ -216,7 +216,7 @@ func ValidatePodSpecificAnnotationUpdates(newPod, oldPod *core.Pod, fldPath *fie if _, ok := oldAnnotations[k]; ok { continue // No change. } - if strings.HasPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix) { + if strings.HasPrefix(k, v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) { allErrs = append(allErrs, field.Forbidden(fldPath.Key(k), "may not add AppArmor annotations")) } if k == core.MirrorPodAnnotationKey { @@ -4703,10 +4703,10 @@ func validateAppArmorProfileField(profile *core.AppArmorProfile, fldPath *field. func ValidateAppArmorPodAnnotations(annotations map[string]string, spec *core.PodSpec, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} for k, p := range annotations { - if !strings.HasPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix) { + if !strings.HasPrefix(k, v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) { continue } - containerName := strings.TrimPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix) + containerName := strings.TrimPrefix(k, v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) if !podSpecHasContainer(spec, containerName) { allErrs = append(allErrs, field.Invalid(fldPath.Key(k), containerName, "container not found")) } @@ -4720,10 +4720,10 @@ func ValidateAppArmorPodAnnotations(annotations map[string]string, spec *core.Po } func ValidateAppArmorProfileFormat(profile string) error { - if profile == "" || profile == v1.AppArmorBetaProfileRuntimeDefault || profile == v1.AppArmorBetaProfileNameUnconfined { + if profile == "" || profile == v1.DeprecatedAppArmorBetaProfileRuntimeDefault || profile == v1.DeprecatedAppArmorBetaProfileNameUnconfined { return nil } - if !strings.HasPrefix(profile, v1.AppArmorBetaProfileNamePrefix) { + if !strings.HasPrefix(profile, v1.DeprecatedAppArmorBetaProfileNamePrefix) { return fmt.Errorf("invalid AppArmor profile name: %q", profile) } return nil @@ -4752,25 +4752,25 @@ func validateAppArmorAnnotationsAndFieldsMatchOnCreate(objectMeta metav1.ObjectM return true } - key := core.AppArmorContainerAnnotationKeyPrefix + c.Name + key := core.DeprecatedAppArmorAnnotationKeyPrefix + c.Name if annotation, found := objectMeta.Annotations[key]; found { apparmorPath := cFldPath.Child("securityContext").Child("appArmorProfile") switch containerProfile.Type { case core.AppArmorProfileTypeUnconfined: - if annotation != core.AppArmorProfileNameUnconfined { + if annotation != core.DeprecatedAppArmorAnnotationValueUnconfined { allErrs = append(allErrs, field.Forbidden(apparmorPath.Child("type"), "apparmor type in annotation and field must match")) } case core.AppArmorProfileTypeRuntimeDefault: - if annotation != core.AppArmorProfileRuntimeDefault { + if annotation != core.DeprecatedAppArmorAnnotationValueRuntimeDefault { allErrs = append(allErrs, field.Forbidden(apparmorPath.Child("type"), "apparmor type in annotation and field must match")) } case core.AppArmorProfileTypeLocalhost: - if !strings.HasPrefix(annotation, core.AppArmorProfileLocalhostPrefix) { + if !strings.HasPrefix(annotation, core.DeprecatedAppArmorAnnotationValueLocalhostPrefix) { allErrs = append(allErrs, field.Forbidden(apparmorPath.Child("type"), "apparmor type in annotation and field must match")) - } else if containerProfile.LocalhostProfile == nil || strings.TrimPrefix(annotation, core.AppArmorProfileLocalhostPrefix) != *containerProfile.LocalhostProfile { + } else if containerProfile.LocalhostProfile == nil || strings.TrimPrefix(annotation, core.DeprecatedAppArmorAnnotationValueLocalhostPrefix) != *containerProfile.LocalhostProfile { allErrs = append(allErrs, field.Forbidden(apparmorPath.Child("localhostProfile"), "apparmor profile in annotation and field must match")) } } diff --git a/pkg/apis/core/validation/validation_test.go b/pkg/apis/core/validation/validation_test.go index 9e722e30aa4..e96dc5291e3 100644 --- a/pkg/apis/core/validation/validation_test.go +++ b/pkg/apis/core/validation/validation_test.go @@ -10430,7 +10430,7 @@ func TestValidatePod(t *testing.T) { Name: "123", Namespace: "ns", Annotations: map[string]string{ - core.AppArmorContainerAnnotationKeyPrefix + "ctr": core.AppArmorProfileLocalhostPrefix + "foo", + core.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": core.DeprecatedAppArmorAnnotationValueLocalhostPrefix + "foo", }, }, Spec: core.PodSpec{ @@ -10451,7 +10451,7 @@ func TestValidatePod(t *testing.T) { Name: "123", Namespace: "ns", Annotations: map[string]string{ - core.AppArmorContainerAnnotationKeyPrefix + "ctr": core.AppArmorProfileLocalhostPrefix + "foo", + core.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": core.DeprecatedAppArmorAnnotationValueLocalhostPrefix + "foo", }, }, Spec: core.PodSpec{ @@ -12166,7 +12166,7 @@ func TestValidatePod(t *testing.T) { Name: "123", Namespace: "ns", Annotations: map[string]string{ - core.AppArmorContainerAnnotationKeyPrefix + "ctr": core.AppArmorProfileRuntimeDefault, + core.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": core.DeprecatedAppArmorAnnotationValueRuntimeDefault, }, }, Spec: core.PodSpec{ @@ -12189,7 +12189,7 @@ func TestValidatePod(t *testing.T) { Name: "123", Namespace: "ns", Annotations: map[string]string{ - core.AppArmorContainerAnnotationKeyPrefix + "ctr": core.AppArmorProfileRuntimeDefault, + core.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": core.DeprecatedAppArmorAnnotationValueRuntimeDefault, }, }, Spec: core.PodSpec{ @@ -12211,7 +12211,7 @@ func TestValidatePod(t *testing.T) { Name: "123", Namespace: "ns", Annotations: map[string]string{ - core.AppArmorContainerAnnotationKeyPrefix + "ctr": core.AppArmorProfileLocalhostPrefix + "foo", + core.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": core.DeprecatedAppArmorAnnotationValueLocalhostPrefix + "foo", }, }, Spec: core.PodSpec{ diff --git a/pkg/registry/core/pod/strategy.go b/pkg/registry/core/pod/strategy.go index 346688387dc..76c572f9912 100644 --- a/pkg/registry/core/pod/strategy.go +++ b/pkg/registry/core/pod/strategy.go @@ -777,7 +777,7 @@ func applyAppArmorVersionSkew(pod *api.Pod) { podutil.VisitContainers(&pod.Spec, podutil.AllFeatureEnabledContainers(), func(ctr *api.Container, _ podutil.ContainerType) bool { // get possible annotation and field - key := api.AppArmorContainerAnnotationKeyPrefix + ctr.Name + key := api.DeprecatedAppArmorAnnotationKeyPrefix + ctr.Name annotation, hasAnnotation := pod.Annotations[key] var containerProfile *api.AppArmorProfile @@ -824,14 +824,14 @@ func appArmorAnnotationForField(field *api.AppArmorProfile) string { // trails the API version switch field.Type { case api.AppArmorProfileTypeUnconfined: - return api.AppArmorProfileNameUnconfined + return api.DeprecatedAppArmorAnnotationValueUnconfined case api.AppArmorProfileTypeRuntimeDefault: - return api.AppArmorProfileRuntimeDefault + return api.DeprecatedAppArmorAnnotationValueRuntimeDefault case api.AppArmorProfileTypeLocalhost: if field.LocalhostProfile != nil { - return api.AppArmorProfileLocalhostPrefix + *field.LocalhostProfile + return api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + *field.LocalhostProfile } } @@ -844,16 +844,16 @@ func appArmorAnnotationForField(field *api.AppArmorProfile) string { // apparmorFieldForAnnotation takes a pod annotation and returns the converted // apparmor profile field. func apparmorFieldForAnnotation(annotation string) *api.AppArmorProfile { - if annotation == api.AppArmorProfileNameUnconfined { + if annotation == api.DeprecatedAppArmorAnnotationValueUnconfined { return &api.AppArmorProfile{Type: api.AppArmorProfileTypeUnconfined} } - if annotation == api.AppArmorProfileRuntimeDefault { + if annotation == api.DeprecatedAppArmorAnnotationValueRuntimeDefault { return &api.AppArmorProfile{Type: api.AppArmorProfileTypeRuntimeDefault} } - if strings.HasPrefix(annotation, api.AppArmorProfileLocalhostPrefix) { - localhostProfile := strings.TrimPrefix(annotation, api.AppArmorProfileLocalhostPrefix) + if strings.HasPrefix(annotation, api.DeprecatedAppArmorAnnotationValueLocalhostPrefix) { + localhostProfile := strings.TrimPrefix(annotation, api.DeprecatedAppArmorAnnotationValueLocalhostPrefix) if localhostProfile != "" { return &api.AppArmorProfile{ Type: api.AppArmorProfileTypeLocalhost, diff --git a/pkg/registry/core/pod/strategy_test.go b/pkg/registry/core/pod/strategy_test.go index e7ac79a201e..064955ddd08 100644 --- a/pkg/registry/core/pod/strategy_test.go +++ b/pkg/registry/core/pod/strategy_test.go @@ -2155,8 +2155,8 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileNameUnconfined, - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined, + api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueUnconfined, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined, }, pod.Annotations) }, }, { @@ -2174,8 +2174,8 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileRuntimeDefault, - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault, + api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueRuntimeDefault, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault, }, pod.Annotations) }, }, { @@ -2194,8 +2194,8 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileLocalhostPrefix + testProfile, - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileLocalhostPrefix + testProfile, + api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile, }, pod.Annotations) }, }, { @@ -2243,7 +2243,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault, }, pod.Annotations) assert.Nil(t, pod.Spec.SecurityContext) assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type) @@ -2265,7 +2265,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileLocalhostPrefix + testProfile, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile, }, pod.Annotations) assert.Nil(t, pod.Spec.SecurityContext) assert.Equal(t, api.AppArmorProfileTypeLocalhost, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type) @@ -2291,7 +2291,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined, }, pod.Annotations) assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.SecurityContext.AppArmorProfile.Type) assert.Equal(t, api.AppArmorProfileTypeUnconfined, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type) @@ -2330,9 +2330,9 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileLocalhostPrefix + testProfile, - api.AppArmorContainerAnnotationKeyPrefix + "a": api.AppArmorProfileNameUnconfined, - api.AppArmorContainerAnnotationKeyPrefix + "c": api.AppArmorProfileRuntimeDefault, + api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile, + api.DeprecatedAppArmorAnnotationKeyPrefix + "a": api.DeprecatedAppArmorAnnotationValueUnconfined, + api.DeprecatedAppArmorAnnotationKeyPrefix + "c": api.DeprecatedAppArmorAnnotationValueRuntimeDefault, }, pod.Annotations) assert.Nil(t, pod.Spec.SecurityContext) assert.Equal(t, api.AppArmorProfileTypeLocalhost, pod.Spec.InitContainers[0].SecurityContext.AppArmorProfile.Type) @@ -2345,7 +2345,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { pod: &api.Pod{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined, }, }, Spec: api.PodSpec{ @@ -2354,7 +2354,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined, }, pod.Annotations) assert.Equal(t, api.AppArmorProfileTypeUnconfined, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type) assert.Nil(t, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.LocalhostProfile) @@ -2365,7 +2365,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { pod: &api.Pod{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "foo-bar": api.AppArmorProfileNameUnconfined, + api.DeprecatedAppArmorAnnotationKeyPrefix + "foo-bar": api.DeprecatedAppArmorAnnotationValueUnconfined, }, }, Spec: api.PodSpec{ @@ -2374,7 +2374,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "foo-bar": api.AppArmorProfileNameUnconfined, + api.DeprecatedAppArmorAnnotationKeyPrefix + "foo-bar": api.DeprecatedAppArmorAnnotationValueUnconfined, }, pod.Annotations) assert.Nil(t, pod.Spec.Containers[0].SecurityContext) assert.Nil(t, pod.Spec.SecurityContext) @@ -2384,7 +2384,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { pod: &api.Pod{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault, }, }, Spec: api.PodSpec{ @@ -2401,7 +2401,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault, }, pod.Annotations) assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type) assert.Nil(t, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.LocalhostProfile) @@ -2412,9 +2412,9 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { pod: &api.Pod{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileNameUnconfined, - api.AppArmorContainerAnnotationKeyPrefix + "a": api.AppArmorProfileLocalhostPrefix + testProfile, - api.AppArmorContainerAnnotationKeyPrefix + "c": api.AppArmorProfileRuntimeDefault, + api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueUnconfined, + api.DeprecatedAppArmorAnnotationKeyPrefix + "a": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile, + api.DeprecatedAppArmorAnnotationKeyPrefix + "c": api.DeprecatedAppArmorAnnotationValueRuntimeDefault, }, }, Spec: api.PodSpec{ @@ -2433,10 +2433,10 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "init": api.AppArmorProfileNameUnconfined, - api.AppArmorContainerAnnotationKeyPrefix + "a": api.AppArmorProfileLocalhostPrefix + testProfile, - api.AppArmorContainerAnnotationKeyPrefix + "b": api.AppArmorProfileRuntimeDefault, - api.AppArmorContainerAnnotationKeyPrefix + "c": api.AppArmorProfileRuntimeDefault, + api.DeprecatedAppArmorAnnotationKeyPrefix + "init": api.DeprecatedAppArmorAnnotationValueUnconfined, + api.DeprecatedAppArmorAnnotationKeyPrefix + "a": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile, + api.DeprecatedAppArmorAnnotationKeyPrefix + "b": api.DeprecatedAppArmorAnnotationValueRuntimeDefault, + api.DeprecatedAppArmorAnnotationKeyPrefix + "c": api.DeprecatedAppArmorAnnotationValueRuntimeDefault, }, pod.Annotations) assert.Equal(t, api.AppArmorProfileTypeUnconfined, pod.Spec.InitContainers[0].SecurityContext.AppArmorProfile.Type) assert.Equal(t, api.AppArmorProfileTypeLocalhost, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type) @@ -2450,7 +2450,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { pod: &api.Pod{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileLocalhostPrefix + testProfile, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile, }, }, Spec: api.PodSpec{ @@ -2466,7 +2466,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileLocalhostPrefix + testProfile, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueLocalhostPrefix + testProfile, }, pod.Annotations) assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type) assert.Nil(t, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.LocalhostProfile) @@ -2477,7 +2477,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { pod: &api.Pod{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault, }, }, Spec: api.PodSpec{ @@ -2493,7 +2493,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault, }, pod.Annotations) assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.SecurityContext.AppArmorProfile.Type) // Annotation shouldn't be synced to container security context @@ -2504,7 +2504,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { pod: &api.Pod{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined, }, }, Spec: api.PodSpec{ @@ -2520,7 +2520,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileNameUnconfined, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueUnconfined, }, pod.Annotations) assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.SecurityContext.AppArmorProfile.Type) assert.Equal(t, api.AppArmorProfileTypeUnconfined, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type) @@ -2530,7 +2530,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { pod: &api.Pod{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "unconf-annot": api.AppArmorProfileNameUnconfined, + api.DeprecatedAppArmorAnnotationKeyPrefix + "unconf-annot": api.DeprecatedAppArmorAnnotationValueUnconfined, }, }, Spec: api.PodSpec{ @@ -2555,9 +2555,9 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "unconf-annot": api.AppArmorProfileNameUnconfined, - api.AppArmorContainerAnnotationKeyPrefix + "unconf-field": api.AppArmorProfileNameUnconfined, - api.AppArmorContainerAnnotationKeyPrefix + "default-pod": api.AppArmorProfileRuntimeDefault, + api.DeprecatedAppArmorAnnotationKeyPrefix + "unconf-annot": api.DeprecatedAppArmorAnnotationValueUnconfined, + api.DeprecatedAppArmorAnnotationKeyPrefix + "unconf-field": api.DeprecatedAppArmorAnnotationValueUnconfined, + api.DeprecatedAppArmorAnnotationKeyPrefix + "default-pod": api.DeprecatedAppArmorAnnotationValueRuntimeDefault, }, pod.Annotations) assert.Equal(t, api.AppArmorProfileTypeRuntimeDefault, pod.Spec.SecurityContext.AppArmorProfile.Type) assert.Equal(t, api.AppArmorProfileTypeUnconfined, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type) @@ -2569,7 +2569,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { pod: &api.Pod{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": "not-a-real-type", + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": "not-a-real-type", }, }, Spec: api.PodSpec{ @@ -2578,7 +2578,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": "not-a-real-type", + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": "not-a-real-type", }, pod.Annotations) assert.Nil(t, pod.Spec.Containers[0].SecurityContext) assert.Nil(t, pod.Spec.SecurityContext) @@ -2604,7 +2604,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { pod: &api.Pod{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault, }, }, Spec: api.PodSpec{ @@ -2614,7 +2614,7 @@ func TestApplyAppArmorVersionSkew(t *testing.T) { }, validation: func(t *testing.T, pod *api.Pod) { assert.Equal(t, map[string]string{ - api.AppArmorContainerAnnotationKeyPrefix + "ctr": api.AppArmorProfileRuntimeDefault, + api.DeprecatedAppArmorAnnotationKeyPrefix + "ctr": api.DeprecatedAppArmorAnnotationValueRuntimeDefault, }, pod.Annotations) assert.Nil(t, pod.Spec.Containers[0].SecurityContext) }, diff --git a/pkg/security/apparmor/helpers.go b/pkg/security/apparmor/helpers.go index 148a70019ee..eeaa3955dd3 100644 --- a/pkg/security/apparmor/helpers.go +++ b/pkg/security/apparmor/helpers.go @@ -43,8 +43,8 @@ func isRequired(pod *v1.Pod) bool { } for key, value := range pod.Annotations { - if strings.HasPrefix(key, v1.AppArmorBetaContainerAnnotationKeyPrefix) { - return value != v1.AppArmorBetaProfileNameUnconfined + if strings.HasPrefix(key, v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) { + return value != v1.DeprecatedAppArmorBetaProfileNameUnconfined } } return false @@ -72,21 +72,21 @@ func GetProfile(pod *v1.Pod, container *v1.Container) *v1.AppArmorProfile { // getProfileFromPodAnnotations gets the AppArmor profile to use with container from // (deprecated) pod annotations. func getProfileFromPodAnnotations(annotations map[string]string, containerName string) *v1.AppArmorProfile { - val, ok := annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+containerName] + val, ok := annotations[v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+containerName] if !ok { return nil } switch { - case val == v1.AppArmorBetaProfileRuntimeDefault: + case val == v1.DeprecatedAppArmorBetaProfileRuntimeDefault: return &v1.AppArmorProfile{Type: v1.AppArmorProfileTypeRuntimeDefault} - case val == v1.AppArmorBetaProfileNameUnconfined: + case val == v1.DeprecatedAppArmorBetaProfileNameUnconfined: return &v1.AppArmorProfile{Type: v1.AppArmorProfileTypeUnconfined} - case strings.HasPrefix(val, v1.AppArmorBetaProfileNamePrefix): + case strings.HasPrefix(val, v1.DeprecatedAppArmorBetaProfileNamePrefix): // Note: an invalid empty localhost profile will be rejected by kubelet admission. - profileName := strings.TrimPrefix(val, v1.AppArmorBetaProfileNamePrefix) + profileName := strings.TrimPrefix(val, v1.DeprecatedAppArmorBetaProfileNamePrefix) return &v1.AppArmorProfile{ Type: v1.AppArmorProfileTypeLocalhost, LocalhostProfile: &profileName, diff --git a/pkg/security/apparmor/helpers_test.go b/pkg/security/apparmor/helpers_test.go index df9e4ff9b17..5c4ff98d08d 100644 --- a/pkg/security/apparmor/helpers_test.go +++ b/pkg/security/apparmor/helpers_test.go @@ -52,7 +52,7 @@ func TestGetProfile(t *testing.T) { expectedProfile: unconfined, }, { name: "annotation profile", - annotationProfile: v1.AppArmorBetaProfileNamePrefix + "test", + annotationProfile: v1.DeprecatedAppArmorBetaProfileNamePrefix + "test", expectedProfile: localhost, }, { name: "invalid annotation", @@ -65,7 +65,7 @@ func TestGetProfile(t *testing.T) { expectedProfile: runtimeDefault, }, { name: "container field before annotation", - annotationProfile: v1.AppArmorBetaProfileNameUnconfined, + annotationProfile: v1.DeprecatedAppArmorBetaProfileNameUnconfined, containerProfile: runtimeDefault, expectedProfile: runtimeDefault, }, { @@ -75,12 +75,12 @@ func TestGetProfile(t *testing.T) { expectedProfile: runtimeDefault, }, { name: "annotation before pod field", - annotationProfile: v1.AppArmorBetaProfileNameUnconfined, + annotationProfile: v1.DeprecatedAppArmorBetaProfileNameUnconfined, podProfile: runtimeDefault, expectedProfile: unconfined, }, { name: "all profiles", - annotationProfile: v1.AppArmorBetaProfileRuntimeDefault, + annotationProfile: v1.DeprecatedAppArmorBetaProfileRuntimeDefault, containerProfile: localhost, podProfile: unconfined, expectedProfile: localhost, @@ -101,7 +101,7 @@ func TestGetProfile(t *testing.T) { Name: "bar", Annotations: map[string]string{ "unrelated": "baz", - v1.AppArmorBetaContainerAnnotationKeyPrefix + "other": v1.AppArmorBetaProfileRuntimeDefault, + v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "other": v1.DeprecatedAppArmorBetaProfileRuntimeDefault, }, }, Spec: v1.PodSpec{ @@ -109,7 +109,7 @@ func TestGetProfile(t *testing.T) { }, } if test.annotationProfile != "" { - pod.Annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+container.Name] = test.annotationProfile + pod.Annotations[v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+container.Name] = test.annotationProfile } if test.podProfile != nil { pod.Spec.SecurityContext = &v1.PodSecurityContext{ diff --git a/pkg/security/apparmor/validate_test.go b/pkg/security/apparmor/validate_test.go index 1dee7ff9071..58cf7d93fd8 100644 --- a/pkg/security/apparmor/validate_test.go +++ b/pkg/security/apparmor/validate_test.go @@ -38,8 +38,8 @@ func TestValidateBadHost(t *testing.T) { expectValid bool }{ {"", true}, - {v1.AppArmorBetaProfileRuntimeDefault, false}, - {v1.AppArmorBetaProfileNamePrefix + "docker-default", false}, + {v1.DeprecatedAppArmorBetaProfileRuntimeDefault, false}, + {v1.DeprecatedAppArmorBetaProfileNamePrefix + "docker-default", false}, } for _, test := range tests { @@ -60,12 +60,12 @@ func TestValidateValidHost(t *testing.T) { expectValid bool }{ {"", true}, - {v1.AppArmorBetaProfileRuntimeDefault, true}, - {v1.AppArmorBetaProfileNamePrefix + "docker-default", true}, - {v1.AppArmorBetaProfileNamePrefix + "foo-container", true}, - {v1.AppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true}, - {v1.AppArmorBetaProfileNamePrefix + "", false}, // Empty profile explicitly forbidden. - {v1.AppArmorBetaProfileNamePrefix + " ", false}, + {v1.DeprecatedAppArmorBetaProfileRuntimeDefault, true}, + {v1.DeprecatedAppArmorBetaProfileNamePrefix + "docker-default", true}, + {v1.DeprecatedAppArmorBetaProfileNamePrefix + "foo-container", true}, + {v1.DeprecatedAppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true}, + {v1.DeprecatedAppArmorBetaProfileNamePrefix + "", false}, // Empty profile explicitly forbidden. + {v1.DeprecatedAppArmorBetaProfileNamePrefix + " ", false}, } for _, test := range tests { @@ -81,9 +81,9 @@ func TestValidateValidHost(t *testing.T) { pod := &v1.Pod{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - v1.AppArmorBetaContainerAnnotationKeyPrefix + "init": v1.AppArmorBetaProfileNamePrefix + "foo-container", - v1.AppArmorBetaContainerAnnotationKeyPrefix + "test1": v1.AppArmorBetaProfileRuntimeDefault, - v1.AppArmorBetaContainerAnnotationKeyPrefix + "test2": v1.AppArmorBetaProfileNamePrefix + "docker-default", + v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "init": v1.DeprecatedAppArmorBetaProfileNamePrefix + "foo-container", + v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test1": v1.DeprecatedAppArmorBetaProfileRuntimeDefault, + v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test2": v1.DeprecatedAppArmorBetaProfileNamePrefix + "docker-default", }, }, Spec: v1.PodSpec{ @@ -102,7 +102,7 @@ func TestValidateValidHost(t *testing.T) { func getPodWithProfile(profile string) *v1.Pod { annotations := map[string]string{ - v1.AppArmorBetaContainerAnnotationKeyPrefix + "test": profile, + v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test": profile, } if profile == "" { annotations = map[string]string{ diff --git a/staging/src/k8s.io/api/core/v1/annotation_key_constants.go b/staging/src/k8s.io/api/core/v1/annotation_key_constants.go index 4c6969e9fbb..5cf6f329f13 100644 --- a/staging/src/k8s.io/api/core/v1/annotation_key_constants.go +++ b/staging/src/k8s.io/api/core/v1/annotation_key_constants.go @@ -54,18 +54,18 @@ const ( // SeccompLocalhostProfileNamePrefix is the prefix for specifying profiles loaded from the node's disk. SeccompLocalhostProfileNamePrefix = "localhost/" - // AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile. + // DeprecatedAppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile. // Deprecated: use a pod or container security context `appArmorProfile` field instead. - AppArmorBetaContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/" + DeprecatedAppArmorBetaContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/" - // AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default. - AppArmorBetaProfileRuntimeDefault = "runtime/default" + // DeprecatedAppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default. + DeprecatedAppArmorBetaProfileRuntimeDefault = "runtime/default" - // AppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node. - AppArmorBetaProfileNamePrefix = "localhost/" + // DeprecatedAppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node. + DeprecatedAppArmorBetaProfileNamePrefix = "localhost/" - // AppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile - AppArmorBetaProfileNameUnconfined = "unconfined" + // DeprecatedAppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile + DeprecatedAppArmorBetaProfileNameUnconfined = "unconfined" // DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker. // Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead. diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_appArmorProfile.go b/staging/src/k8s.io/pod-security-admission/policy/check_appArmorProfile.go index c4342b81c57..12794031161 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_appArmorProfile.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_appArmorProfile.go @@ -66,8 +66,8 @@ func CheckAppArmorProfile() Check { func allowedAnnotationValue(profile string) bool { return len(profile) == 0 || - profile == corev1.AppArmorBetaProfileRuntimeDefault || - strings.HasPrefix(profile, corev1.AppArmorBetaProfileNamePrefix) + profile == corev1.DeprecatedAppArmorBetaProfileRuntimeDefault || + strings.HasPrefix(profile, corev1.DeprecatedAppArmorBetaProfileNamePrefix) } func allowedProfileType(profile corev1.AppArmorProfileType) bool { @@ -114,7 +114,7 @@ func appArmorProfile_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec var forbiddenAnnotations []string for k, v := range podMetadata.Annotations { - if strings.HasPrefix(k, corev1.AppArmorBetaContainerAnnotationKeyPrefix) && !allowedAnnotationValue(v) { + if strings.HasPrefix(k, corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) && !allowedAnnotationValue(v) { forbiddenAnnotations = append(forbiddenAnnotations, fmt.Sprintf("%s=%q", k, v)) } } diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_appArmorProfile_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_appArmorProfile_test.go index 91295ef913f..e07b7cd584f 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_appArmorProfile_test.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_appArmorProfile_test.go @@ -33,7 +33,7 @@ func TestCheckAppArmor_Allowed(t *testing.T) { { name: "container with default AppArmor + extra annotations", metaData: &metav1.ObjectMeta{Annotations: map[string]string{ - corev1.AppArmorBetaProfileNamePrefix + "test": "runtime/default", + corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test": "runtime/default", "env": "prod", }}, podSpec: &corev1.PodSpec{}, @@ -41,7 +41,7 @@ func TestCheckAppArmor_Allowed(t *testing.T) { { name: "container with local AppArmor + extra annotations", metaData: &metav1.ObjectMeta{Annotations: map[string]string{ - corev1.AppArmorBetaProfileNamePrefix + "test": "localhost/sec-profile01", + corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test": "localhost/sec-profile01", "env": "dev", }}, podSpec: &corev1.PodSpec{}, diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_appArmorProfile.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_appArmorProfile.go index 9b2a8199fff..1c9559609a4 100644 --- a/staging/src/k8s.io/pod-security-admission/test/fixtures_appArmorProfile.go +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_appArmorProfile.go @@ -32,10 +32,10 @@ func init() { // container with localhost/foo annotation tweak(pod, func(copy *corev1.Pod) { containerName := copy.Spec.Containers[0].Name - copy.Annotations[corev1.AppArmorBetaContainerAnnotationKeyPrefix+containerName] = "runtime/default" + copy.Annotations[corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+containerName] = "runtime/default" initContainerName := copy.Spec.Containers[0].Name - copy.Annotations[corev1.AppArmorBetaContainerAnnotationKeyPrefix+initContainerName] = "localhost/foo" + copy.Annotations[corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+initContainerName] = "localhost/foo" }), } }, @@ -45,13 +45,13 @@ func init() { // container with unconfined annotation tweak(pod, func(copy *corev1.Pod) { name := copy.Spec.Containers[0].Name - copy.Annotations[corev1.AppArmorBetaContainerAnnotationKeyPrefix+name] = "unconfined" + copy.Annotations[corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+name] = "unconfined" }), // initContainer with unconfined annotation tweak(pod, func(copy *corev1.Pod) { name := copy.Spec.InitContainers[0].Name - copy.Annotations[corev1.AppArmorBetaContainerAnnotationKeyPrefix+name] = "unconfined" + copy.Annotations[corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+name] = "unconfined" }), } }, diff --git a/test/e2e/node/apparmor.go b/test/e2e/node/apparmor.go index dc36c256596..d77cbe2177c 100644 --- a/test/e2e/node/apparmor.go +++ b/test/e2e/node/apparmor.go @@ -66,9 +66,9 @@ var _ = SIGDescribe("AppArmor", func() { pod := e2esecurity.AppArmorTestPod(f.Namespace.Name, false, true) // Move AppArmor profile to the annotations. profile := pod.Spec.SecurityContext.AppArmorProfile - key := v1.AppArmorBetaContainerAnnotationKeyPrefix + pod.Spec.Containers[0].Name + key := v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + pod.Spec.Containers[0].Name pod.Annotations = map[string]string{ - key: v1.AppArmorBetaProfileNamePrefix + *profile.LocalhostProfile, + key: v1.DeprecatedAppArmorBetaProfileNamePrefix + *profile.LocalhostProfile, } pod.Spec.SecurityContext = nil diff --git a/test/e2e_node/apparmor_test.go b/test/e2e_node/apparmor_test.go index 8340a35e5e3..8e790098537 100644 --- a/test/e2e_node/apparmor_test.go +++ b/test/e2e_node/apparmor_test.go @@ -60,11 +60,11 @@ var _ = SIGDescribe("AppArmor", feature.AppArmor, nodefeature.AppArmor, func() { f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged ginkgo.It("should reject an unloaded profile", func(ctx context.Context) { - status := runAppArmorTest(ctx, f, false, v1.AppArmorBetaProfileNamePrefix+"non-existent-profile") + status := runAppArmorTest(ctx, f, false, v1.DeprecatedAppArmorBetaProfileNamePrefix+"non-existent-profile") gomega.Expect(status.ContainerStatuses[0].State.Waiting.Message).To(gomega.ContainSubstring("apparmor")) }) ginkgo.It("should enforce a profile blocking writes", func(ctx context.Context) { - status := runAppArmorTest(ctx, f, true, v1.AppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"deny-write") + status := runAppArmorTest(ctx, f, true, v1.DeprecatedAppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"deny-write") if len(status.ContainerStatuses) == 0 { framework.Failf("Unexpected pod status: %s", dump.Pretty(status)) return @@ -75,7 +75,7 @@ var _ = SIGDescribe("AppArmor", feature.AppArmor, nodefeature.AppArmor, func() { }) ginkgo.It("should enforce a permissive profile", func(ctx context.Context) { - status := runAppArmorTest(ctx, f, true, v1.AppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"audit-write") + status := runAppArmorTest(ctx, f, true, v1.DeprecatedAppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"audit-write") if len(status.ContainerStatuses) == 0 { framework.Failf("Unexpected pod status: %s", dump.Pretty(status)) return @@ -91,7 +91,7 @@ var _ = SIGDescribe("AppArmor", feature.AppArmor, nodefeature.AppArmor, func() { f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged ginkgo.It("should reject a pod with an AppArmor profile", func(ctx context.Context) { - status := runAppArmorTest(ctx, f, false, v1.AppArmorBetaProfileRuntimeDefault) + status := runAppArmorTest(ctx, f, false, v1.DeprecatedAppArmorBetaProfileRuntimeDefault) expectSoftRejection(status) }) }) @@ -214,7 +214,7 @@ func createPodWithAppArmor(ctx context.Context, f *framework.Framework, profile ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("test-apparmor-%s", strings.Replace(profile, "/", "-", -1)), Annotations: map[string]string{ - v1.AppArmorBetaContainerAnnotationKeyPrefix + "test": profile, + v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test": profile, }, }, Spec: v1.PodSpec{