Move AppArmor profile validation to the API validation pkg

2025-09-08 12:41:58 +00:00 · 2022-02-15 16:17:37 -08:00
parent 455f7c278c
commit 5f2b12e0d4
5 changed files with 42 additions and 42 deletions
--- a/pkg/security/apparmor/validate.go
+++ b/pkg/security/apparmor/validate.go
@@ -28,6 +28,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
+	"k8s.io/kubernetes/pkg/apis/core/validation"
 	"k8s.io/kubernetes/pkg/features"
 	utilpath "k8s.io/utils/path"
 )
@@ -75,12 +76,12 @@ func (v *validator) Validate(pod *v1.Pod) error {
 	var retErr error
 	podutil.VisitContainers(&pod.Spec, podutil.AllContainers, func(container *v1.Container, containerType podutil.ContainerType) bool {
 		profile := GetProfileName(pod, container.Name)
-		retErr = ValidateProfileFormat(profile)
+		retErr = validation.ValidateAppArmorProfileFormat(profile)
 		if retErr != nil {
 			return false
 		}
-		// TODO(#64841): This would ideally be part of ValidateProfileFormat, but that is called for
-		// API validation, and this is tightening validation.
+		// TODO(#64841): This would ideally be part of validation.ValidateAppArmorProfileFormat, but
+		// that is called for API validation, and this is tightening validation.
 		if strings.HasPrefix(profile, v1.AppArmorBetaProfileNamePrefix) {
 			if strings.TrimSpace(strings.TrimPrefix(profile, v1.AppArmorBetaProfileNamePrefix)) == "" {
 				retErr = fmt.Errorf("invalid empty AppArmor profile name: %q", profile)
@@ -117,17 +118,6 @@ func validateHost() error {
 	return nil
 }

-// ValidateProfileFormat checks the format of the profile.
-func ValidateProfileFormat(profile string) error {
-	if profile == "" || profile == v1.AppArmorBetaProfileRuntimeDefault || profile == v1.AppArmorBetaProfileNameUnconfined {
-		return nil
-	}
-	if !strings.HasPrefix(profile, v1.AppArmorBetaProfileNamePrefix) {
-		return fmt.Errorf("invalid AppArmor profile name: %q", profile)
-	}
-	return nil
-}
-
 func getAppArmorFS() (string, error) {
 	mountsFile, err := os.Open("/proc/mounts")
 	if err != nil {
--- a/pkg/security/apparmor/validate_test.go
+++ b/pkg/security/apparmor/validate_test.go
@@ -46,29 +46,6 @@ func TestValidateHost(t *testing.T) {
 	assert.NoError(t, validateHost())
 }

-func TestValidateProfileFormat(t *testing.T) {
-	tests := []struct {
-		profile     string
-		expectValid bool
-	}{
-		{"", true},
-		{v1.AppArmorBetaProfileRuntimeDefault, true},
-		{v1.AppArmorBetaProfileNameUnconfined, true},
-		{"baz", false}, // Missing local prefix.
-		{v1.AppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true},
-		{v1.AppArmorBetaProfileNamePrefix + "foo-bar", true},
-	}
-
-	for _, test := range tests {
-		err := ValidateProfileFormat(test.profile)
-		if test.expectValid {
-			assert.NoError(t, err, "Profile %s should be valid", test.profile)
-		} else {
-			assert.Error(t, err, fmt.Sprintf("Profile %s should not be valid", test.profile))
-		}
-	}
-}
-
 func TestValidateBadHost(t *testing.T) {
 	hostErr := errors.New("expected host error")
 	v := &validator{