mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-09-07 20:21:20 +00:00
move apparmor annotation constants to k8s.io/api/core/v1
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
This commit is contained in:
Andrew Sy Kim
@@ -22,29 +22,11 @@ import (
|
||||
"k8s.io/api/core/v1"
|
||||
)
|
||||
|
||||
// TODO: Move these values into the API package.
|
||||
const (
|
||||
// The prefix to an annotation key specifying a container profile.
|
||||
ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
|
||||
// The annotation key specifying the default AppArmor profile.
|
||||
DefaultProfileAnnotationKey = "apparmor.security.beta.kubernetes.io/defaultProfileName"
|
||||
// The annotation key specifying the allowed AppArmor profiles.
|
||||
AllowedProfilesAnnotationKey = "apparmor.security.beta.kubernetes.io/allowedProfileNames"
|
||||
|
||||
// The profile specifying the runtime default.
|
||||
ProfileRuntimeDefault = "runtime/default"
|
||||
// The prefix for specifying profiles loaded on the node.
|
||||
ProfileNamePrefix = "localhost/"
|
||||
|
||||
// Unconfined profile
|
||||
ProfileNameUnconfined = "unconfined"
|
||||
)
|
||||
|
||||
// Checks whether app armor is required for pod to be run.
|
||||
func isRequired(pod *v1.Pod) bool {
|
||||
for key, value := range pod.Annotations {
|
||||
if strings.HasPrefix(key, ContainerAnnotationKeyPrefix) {
|
||||
return value != ProfileNameUnconfined
|
||||
if strings.HasPrefix(key, v1.AppArmorBetaContainerAnnotationKeyPrefix) {
|
||||
return value != v1.AppArmorBetaProfileNameUnconfined
|
||||
}
|
||||
}
|
||||
return false
|
||||
@@ -58,7 +40,7 @@ func GetProfileName(pod *v1.Pod, containerName string) string {
|
||||
// GetProfileNameFromPodAnnotations gets the name of the profile to use with container from
|
||||
// pod annotations
|
||||
func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string {
|
||||
return annotations[ContainerAnnotationKeyPrefix+containerName]
|
||||
return annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+containerName]
|
||||
}
|
||||
|
||||
// SetProfileName sets the name of the profile to use with the container.
|
||||
@@ -66,7 +48,7 @@ func SetProfileName(pod *v1.Pod, containerName, profileName string) error {
|
||||
if pod.Annotations == nil {
|
||||
pod.Annotations = map[string]string{}
|
||||
}
|
||||
pod.Annotations[ContainerAnnotationKeyPrefix+containerName] = profileName
|
||||
pod.Annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+containerName] = profileName
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -75,6 +57,6 @@ func SetProfileNameFromPodAnnotations(annotations map[string]string, containerNa
|
||||
if annotations == nil {
|
||||
return nil
|
||||
}
|
||||
annotations[ContainerAnnotationKeyPrefix+containerName] = profileName
|
||||
annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+containerName] = profileName
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -125,8 +125,8 @@ func validateProfile(profile string, loadedProfiles map[string]bool) error {
|
||||
return err
|
||||
}
|
||||
|
||||
if strings.HasPrefix(profile, ProfileNamePrefix) {
|
||||
profileName := strings.TrimPrefix(profile, ProfileNamePrefix)
|
||||
if strings.HasPrefix(profile, v1.AppArmorBetaProfileNamePrefix) {
|
||||
profileName := strings.TrimPrefix(profile, v1.AppArmorBetaProfileNamePrefix)
|
||||
if !loadedProfiles[profileName] {
|
||||
return fmt.Errorf("profile %q is not loaded", profileName)
|
||||
}
|
||||
@@ -137,10 +137,10 @@ func validateProfile(profile string, loadedProfiles map[string]bool) error {
|
||||
|
||||
// ValidateProfileFormat checks the format of the profile.
|
||||
func ValidateProfileFormat(profile string) error {
|
||||
if profile == "" || profile == ProfileRuntimeDefault || profile == ProfileNameUnconfined {
|
||||
if profile == "" || profile == v1.AppArmorBetaProfileRuntimeDefault || profile == v1.AppArmorBetaProfileNameUnconfined {
|
||||
return nil
|
||||
}
|
||||
if !strings.HasPrefix(profile, ProfileNamePrefix) {
|
||||
if !strings.HasPrefix(profile, v1.AppArmorBetaProfileNamePrefix) {
|
||||
return fmt.Errorf("invalid AppArmor profile name: %q", profile)
|
||||
}
|
||||
return nil
|
||||
|
||||
@@ -62,13 +62,13 @@ func TestValidateProfile(t *testing.T) {
|
||||
expectValid bool
|
||||
}{
|
||||
{"", true},
|
||||
{ProfileRuntimeDefault, true},
|
||||
{ProfileNameUnconfined, true},
|
||||
{v1.AppArmorBetaProfileRuntimeDefault, true},
|
||||
{v1.AppArmorBetaProfileNameUnconfined, true},
|
||||
{"baz", false}, // Missing local prefix.
|
||||
{ProfileNamePrefix + "/usr/sbin/ntpd", true},
|
||||
{ProfileNamePrefix + "foo-bar", true},
|
||||
{ProfileNamePrefix + "unloaded", false}, // Not loaded.
|
||||
{ProfileNamePrefix + "", false},
|
||||
{v1.AppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true},
|
||||
{v1.AppArmorBetaProfileNamePrefix + "foo-bar", true},
|
||||
{v1.AppArmorBetaProfileNamePrefix + "unloaded", false}, // Not loaded.
|
||||
{v1.AppArmorBetaProfileNamePrefix + "", false},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
@@ -92,8 +92,8 @@ func TestValidateBadHost(t *testing.T) {
|
||||
expectValid bool
|
||||
}{
|
||||
{"", true},
|
||||
{ProfileRuntimeDefault, false},
|
||||
{ProfileNamePrefix + "docker-default", false},
|
||||
{v1.AppArmorBetaProfileRuntimeDefault, false},
|
||||
{v1.AppArmorBetaProfileNamePrefix + "docker-default", false},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
@@ -116,13 +116,13 @@ func TestValidateValidHost(t *testing.T) {
|
||||
expectValid bool
|
||||
}{
|
||||
{"", true},
|
||||
{ProfileRuntimeDefault, true},
|
||||
{ProfileNamePrefix + "docker-default", true},
|
||||
{ProfileNamePrefix + "foo-container", true},
|
||||
{ProfileNamePrefix + "/usr/sbin/ntpd", true},
|
||||
{v1.AppArmorBetaProfileRuntimeDefault, true},
|
||||
{v1.AppArmorBetaProfileNamePrefix + "docker-default", true},
|
||||
{v1.AppArmorBetaProfileNamePrefix + "foo-container", true},
|
||||
{v1.AppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true},
|
||||
{"docker-default", false},
|
||||
{ProfileNamePrefix + "foo", false},
|
||||
{ProfileNamePrefix + "", false},
|
||||
{v1.AppArmorBetaProfileNamePrefix + "foo", false},
|
||||
{v1.AppArmorBetaProfileNamePrefix + "", false},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
@@ -138,9 +138,9 @@ func TestValidateValidHost(t *testing.T) {
|
||||
pod := &v1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Annotations: map[string]string{
|
||||
ContainerAnnotationKeyPrefix + "init": ProfileNamePrefix + "foo-container",
|
||||
ContainerAnnotationKeyPrefix + "test1": ProfileRuntimeDefault,
|
||||
ContainerAnnotationKeyPrefix + "test2": ProfileNamePrefix + "docker-default",
|
||||
v1.AppArmorBetaContainerAnnotationKeyPrefix + "init": v1.AppArmorBetaProfileNamePrefix + "foo-container",
|
||||
v1.AppArmorBetaContainerAnnotationKeyPrefix + "test1": v1.AppArmorBetaProfileRuntimeDefault,
|
||||
v1.AppArmorBetaContainerAnnotationKeyPrefix + "test2": v1.AppArmorBetaProfileNamePrefix + "docker-default",
|
||||
},
|
||||
},
|
||||
Spec: v1.PodSpec{
|
||||
@@ -176,7 +176,7 @@ func TestParseProfileName(t *testing.T) {
|
||||
|
||||
func getPodWithProfile(profile string) *v1.Pod {
|
||||
annotations := map[string]string{
|
||||
ContainerAnnotationKeyPrefix + "test": profile,
|
||||
v1.AppArmorBetaContainerAnnotationKeyPrefix + "test": profile,
|
||||
}
|
||||
if profile == "" {
|
||||
annotations = map[string]string{
|
||||
|
||||
Reference in New Issue
Block a user