From a5b7212453fb72bed77159710ce8c3c7cc8c030c Mon Sep 17 00:00:00 2001 From: "Tim St. Clair" Date: Thu, 25 Aug 2016 15:40:32 -0700 Subject: [PATCH] Promote AppArmor annotations to beta --- pkg/security/apparmor/helpers.go | 6 ++--- pkg/security/apparmor/validate_test.go | 34 +++++++++++++------------- test/e2e_node/apparmor_test.go | 10 ++++---- 3 files changed, 25 insertions(+), 25 deletions(-) diff --git a/pkg/security/apparmor/helpers.go b/pkg/security/apparmor/helpers.go index 4546aea4da7..fa440d0104a 100644 --- a/pkg/security/apparmor/helpers.go +++ b/pkg/security/apparmor/helpers.go @@ -25,11 +25,11 @@ import ( // TODO: Move these values into the API package. const ( // The prefix to an annotation key specifying a container profile. - ContainerAnnotationKeyPrefix = "container.apparmor.security.alpha.kubernetes.io/" + ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/" // The annotation key specifying the default AppArmor profile. - DefaultProfileAnnotationKey = "apparmor.security.alpha.kubernetes.io/defaultProfileName" + DefaultProfileAnnotationKey = "apparmor.security.beta.kubernetes.io/defaultProfileName" // The annotation key specifying the allowed AppArmor profiles. - AllowedProfilesAnnotationKey = "apparmor.security.alpha.kubernetes.io/allowedProfileNames" + AllowedProfilesAnnotationKey = "apparmor.security.beta.kubernetes.io/allowedProfileNames" // The profile specifying the runtime default. ProfileRuntimeDefault = "runtime/default" diff --git a/pkg/security/apparmor/validate_test.go b/pkg/security/apparmor/validate_test.go index b200f5b02d0..46536dd20e7 100644 --- a/pkg/security/apparmor/validate_test.go +++ b/pkg/security/apparmor/validate_test.go @@ -60,12 +60,12 @@ func TestValidateProfile(t *testing.T) { expectValid bool }{ {"", true}, - {"runtime/default", true}, + {ProfileRuntimeDefault, true}, {"baz", false}, // Missing local prefix. - {"localhost//usr/sbin/ntpd", true}, - {"localhost/foo-bar", true}, - {"localhost/unloaded", false}, // Not loaded. - {"localhost/", false}, + {ProfileNamePrefix + "/usr/sbin/ntpd", true}, + {ProfileNamePrefix + "foo-bar", true}, + {ProfileNamePrefix + "unloaded", false}, // Not loaded. + {ProfileNamePrefix + "", false}, } for _, test := range tests { @@ -89,8 +89,8 @@ func TestValidateBadHost(t *testing.T) { expectValid bool }{ {"", true}, - {"runtime/default", false}, - {"localhost/docker-default", false}, + {ProfileRuntimeDefault, false}, + {ProfileNamePrefix + "docker-default", false}, } for _, test := range tests { @@ -113,13 +113,13 @@ func TestValidateValidHost(t *testing.T) { expectValid bool }{ {"", true}, - {"runtime/default", true}, - {"localhost/docker-default", true}, - {"localhost/foo-container", true}, - {"localhost//usr/sbin/ntpd", true}, + {ProfileRuntimeDefault, true}, + {ProfileNamePrefix + "docker-default", true}, + {ProfileNamePrefix + "foo-container", true}, + {ProfileNamePrefix + "/usr/sbin/ntpd", true}, {"docker-default", false}, - {"localhost/foo", false}, - {"localhost/", false}, + {ProfileNamePrefix + "foo", false}, + {ProfileNamePrefix + "", false}, } for _, test := range tests { @@ -135,9 +135,9 @@ func TestValidateValidHost(t *testing.T) { pod := &api.Pod{ ObjectMeta: api.ObjectMeta{ Annotations: map[string]string{ - "container.apparmor.security.alpha.kubernetes.io/init": "localhost/foo-container", - "container.apparmor.security.alpha.kubernetes.io/test1": "runtime/default", - "container.apparmor.security.alpha.kubernetes.io/test2": "localhost/docker-default", + ContainerAnnotationKeyPrefix + "init": ProfileNamePrefix + "foo-container", + ContainerAnnotationKeyPrefix + "test1": ProfileRuntimeDefault, + ContainerAnnotationKeyPrefix + "test2": ProfileNamePrefix + "docker-default", }, }, Spec: api.PodSpec{ @@ -173,7 +173,7 @@ func TestParseProfileName(t *testing.T) { func getPodWithProfile(profile string) *api.Pod { annotations := map[string]string{ - "container.apparmor.security.alpha.kubernetes.io/test": profile, + ContainerAnnotationKeyPrefix + "test": profile, } if profile == "" { annotations = map[string]string{ diff --git a/test/e2e_node/apparmor_test.go b/test/e2e_node/apparmor_test.go index 827ba4f1dc9..f5e87b56764 100644 --- a/test/e2e_node/apparmor_test.go +++ b/test/e2e_node/apparmor_test.go @@ -53,12 +53,12 @@ func testAppArmorNode() { f := framework.NewDefaultFramework("apparmor-test") It("should reject an unloaded profile", func() { - status := runAppArmorTest(f, "localhost/"+"non-existant-profile") + status := runAppArmorTest(f, apparmor.ProfileNamePrefix+"non-existant-profile") Expect(status.Phase).To(Equal(api.PodFailed), "PodStatus: %+v", status) Expect(status.Reason).To(Equal("AppArmor"), "PodStatus: %+v", status) }) It("should enforce a profile blocking writes", func() { - status := runAppArmorTest(f, "localhost/"+apparmorProfilePrefix+"deny-write") + status := runAppArmorTest(f, apparmor.ProfileNamePrefix+apparmorProfilePrefix+"deny-write") if len(status.ContainerStatuses) == 0 { framework.Failf("Unexpected pod status: %s", spew.Sdump(status)) return @@ -68,7 +68,7 @@ func testAppArmorNode() { }) It("should enforce a permissive profile", func() { - status := runAppArmorTest(f, "localhost/"+apparmorProfilePrefix+"audit-write") + status := runAppArmorTest(f, apparmor.ProfileNamePrefix+apparmorProfilePrefix+"audit-write") if len(status.ContainerStatuses) == 0 { framework.Failf("Unexpected pod status: %s", spew.Sdump(status)) return @@ -84,7 +84,7 @@ func testNonAppArmorNode() { f := framework.NewDefaultFramework("apparmor-test") It("should reject a pod with an AppArmor profile", func() { - status := runAppArmorTest(f, "runtime/default") + status := runAppArmorTest(f, apparmor.ProfileRuntimeDefault) Expect(status.Phase).To(Equal(api.PodFailed), "PodStatus: %+v", status) Expect(status.Reason).To(Equal("AppArmor"), "PodStatus: %+v", status) }) @@ -159,7 +159,7 @@ func createPodWithAppArmor(f *framework.Framework, profile string) *api.Pod { ObjectMeta: api.ObjectMeta{ Name: fmt.Sprintf("test-apparmor-%s", strings.Replace(profile, "/", "-", -1)), Annotations: map[string]string{ - "container.apparmor.security.alpha.kubernetes.io/test": profile, + apparmor.ContainerAnnotationKeyPrefix + "test": profile, }, }, Spec: api.PodSpec{