diff --git a/pkg/api/pod/BUILD b/pkg/api/pod/BUILD index f5d1531c4f3..4205b162618 100644 --- a/pkg/api/pod/BUILD +++ b/pkg/api/pod/BUILD @@ -13,7 +13,7 @@ go_library( deps = [ "//pkg/apis/core:go_default_library", "//pkg/features:go_default_library", - "//pkg/security/apparmor:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", ], @@ -39,7 +39,7 @@ go_test( deps = [ "//pkg/apis/core:go_default_library", "//pkg/features:go_default_library", - "//pkg/security/apparmor:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/resource:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library", diff --git a/pkg/api/pod/util.go b/pkg/api/pod/util.go index 07c42323d9f..98ef8145001 100644 --- a/pkg/api/pod/util.go +++ b/pkg/api/pod/util.go @@ -19,11 +19,11 @@ package pod import ( "strings" + "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" utilfeature "k8s.io/apiserver/pkg/util/feature" api "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/features" - "k8s.io/kubernetes/pkg/security/apparmor" ) // ContainerType signifies container type @@ -363,7 +363,7 @@ func dropDisabledFields( if !utilfeature.DefaultFeatureGate.Enabled(features.AppArmor) && !appArmorInUse(oldPodAnnotations) { for k := range podAnnotations { - if strings.HasPrefix(k, apparmor.ContainerAnnotationKeyPrefix) { + if strings.HasPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix) { delete(podAnnotations, k) } } @@ -590,7 +590,7 @@ func procMountInUse(podSpec *api.PodSpec) bool { // appArmorInUse returns true if the pod has apparmor related information func appArmorInUse(podAnnotations map[string]string) bool { for k := range podAnnotations { - if strings.HasPrefix(k, apparmor.ContainerAnnotationKeyPrefix) { + if strings.HasPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix) { return true } } diff --git a/pkg/api/pod/util_test.go b/pkg/api/pod/util_test.go index decf72d0347..693ca2a0ae7 100644 --- a/pkg/api/pod/util_test.go +++ b/pkg/api/pod/util_test.go @@ -23,6 +23,8 @@ import ( "testing" "github.com/google/go-cmp/cmp" + + "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/diff" @@ -32,7 +34,6 @@ import ( featuregatetesting "k8s.io/component-base/featuregate/testing" api "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/features" - "k8s.io/kubernetes/pkg/security/apparmor" ) func TestVisitContainers(t *testing.T) { @@ -1026,7 +1027,7 @@ func TestDropEmptyDirSizeLimit(t *testing.T) { func TestDropAppArmor(t *testing.T) { podWithAppArmor := func() *api.Pod { return &api.Pod{ - ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{"a": "1", apparmor.ContainerAnnotationKeyPrefix + "foo": "default"}}, + ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{"a": "1", v1.AppArmorBetaContainerAnnotationKeyPrefix + "foo": "default"}}, Spec: api.PodSpec{}, } } diff --git a/pkg/apis/core/validation/BUILD b/pkg/apis/core/validation/BUILD index 30f0bdcc3c2..2867c843865 100644 --- a/pkg/apis/core/validation/BUILD +++ b/pkg/apis/core/validation/BUILD @@ -56,7 +56,6 @@ go_test( "//pkg/apis/core:go_default_library", "//pkg/capabilities:go_default_library", "//pkg/features:go_default_library", - "//pkg/security/apparmor:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/resource:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go index 9f34086c2b5..41909b4d0b5 100644 --- a/pkg/apis/core/validation/validation.go +++ b/pkg/apis/core/validation/validation.go @@ -173,7 +173,7 @@ func ValidatePodSpecificAnnotationUpdates(newPod, oldPod *core.Pod, fldPath *fie if newVal, exists := newAnnotations[k]; exists && newVal == oldVal { continue // No change. } - if strings.HasPrefix(k, apparmor.ContainerAnnotationKeyPrefix) { + if strings.HasPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix) { allErrs = append(allErrs, field.Forbidden(fldPath.Key(k), "may not remove or update AppArmor annotations")) } if k == core.MirrorPodAnnotationKey { @@ -185,7 +185,7 @@ func ValidatePodSpecificAnnotationUpdates(newPod, oldPod *core.Pod, fldPath *fie if _, ok := oldAnnotations[k]; ok { continue // No change. } - if strings.HasPrefix(k, apparmor.ContainerAnnotationKeyPrefix) { + if strings.HasPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix) { allErrs = append(allErrs, field.Forbidden(fldPath.Key(k), "may not add AppArmor annotations")) } if k == core.MirrorPodAnnotationKey { @@ -3572,10 +3572,10 @@ func ValidateSeccompPodAnnotations(annotations map[string]string, fldPath *field func ValidateAppArmorPodAnnotations(annotations map[string]string, spec *core.PodSpec, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} for k, p := range annotations { - if !strings.HasPrefix(k, apparmor.ContainerAnnotationKeyPrefix) { + if !strings.HasPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix) { continue } - containerName := strings.TrimPrefix(k, apparmor.ContainerAnnotationKeyPrefix) + containerName := strings.TrimPrefix(k, v1.AppArmorBetaContainerAnnotationKeyPrefix) if !podSpecHasContainer(spec, containerName) { allErrs = append(allErrs, field.Invalid(fldPath.Key(k), containerName, "container not found")) } diff --git a/pkg/apis/core/validation/validation_test.go b/pkg/apis/core/validation/validation_test.go index a4e1b8928e2..731a0d27f12 100644 --- a/pkg/apis/core/validation/validation_test.go +++ b/pkg/apis/core/validation/validation_test.go @@ -35,7 +35,6 @@ import ( "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/capabilities" "k8s.io/kubernetes/pkg/features" - "k8s.io/kubernetes/pkg/security/apparmor" utilpointer "k8s.io/utils/pointer" ) @@ -7293,7 +7292,7 @@ func TestValidatePod(t *testing.T) { Name: "123", Namespace: "ns", Annotations: map[string]string{ - apparmor.ContainerAnnotationKeyPrefix + "ctr": apparmor.ProfileRuntimeDefault, + v1.AppArmorBetaContainerAnnotationKeyPrefix + "ctr": v1.AppArmorBetaProfileRuntimeDefault, }, }, Spec: validPodSpec(nil), @@ -7303,7 +7302,7 @@ func TestValidatePod(t *testing.T) { Name: "123", Namespace: "ns", Annotations: map[string]string{ - apparmor.ContainerAnnotationKeyPrefix + "init-ctr": apparmor.ProfileRuntimeDefault, + v1.AppArmorBetaContainerAnnotationKeyPrefix + "init-ctr": v1.AppArmorBetaProfileRuntimeDefault, }, }, Spec: core.PodSpec{ @@ -7318,7 +7317,7 @@ func TestValidatePod(t *testing.T) { Name: "123", Namespace: "ns", Annotations: map[string]string{ - apparmor.ContainerAnnotationKeyPrefix + "ctr": apparmor.ProfileNamePrefix + "foo", + v1.AppArmorBetaContainerAnnotationKeyPrefix + "ctr": v1.AppArmorBetaProfileNamePrefix + "foo", }, }, Spec: validPodSpec(nil), @@ -8017,9 +8016,9 @@ func TestValidatePod(t *testing.T) { Name: "123", Namespace: "ns", Annotations: map[string]string{ - apparmor.ContainerAnnotationKeyPrefix + "ctr": apparmor.ProfileRuntimeDefault, - apparmor.ContainerAnnotationKeyPrefix + "init-ctr": apparmor.ProfileRuntimeDefault, - apparmor.ContainerAnnotationKeyPrefix + "fake-ctr": apparmor.ProfileRuntimeDefault, + v1.AppArmorBetaContainerAnnotationKeyPrefix + "ctr": v1.AppArmorBetaProfileRuntimeDefault, + v1.AppArmorBetaContainerAnnotationKeyPrefix + "init-ctr": v1.AppArmorBetaProfileRuntimeDefault, + v1.AppArmorBetaContainerAnnotationKeyPrefix + "fake-ctr": v1.AppArmorBetaProfileRuntimeDefault, }, }, Spec: core.PodSpec{ @@ -8037,7 +8036,7 @@ func TestValidatePod(t *testing.T) { Name: "123", Namespace: "ns", Annotations: map[string]string{ - apparmor.ContainerAnnotationKeyPrefix + "ctr": "bad-name", + v1.AppArmorBetaContainerAnnotationKeyPrefix + "ctr": "bad-name", }, }, Spec: validPodSpec(nil), @@ -8050,7 +8049,7 @@ func TestValidatePod(t *testing.T) { Name: "123", Namespace: "ns", Annotations: map[string]string{ - apparmor.ContainerAnnotationKeyPrefix + "ctr": "runtime/foo", + v1.AppArmorBetaContainerAnnotationKeyPrefix + "ctr": "runtime/foo", }, }, Spec: validPodSpec(nil), diff --git a/pkg/apis/policy/validation/BUILD b/pkg/apis/policy/validation/BUILD index 76b6fe1d96f..a1d627225c1 100644 --- a/pkg/apis/policy/validation/BUILD +++ b/pkg/apis/policy/validation/BUILD @@ -18,6 +18,7 @@ go_library( "//pkg/security/apparmor:go_default_library", "//pkg/security/podsecuritypolicy/seccomp:go_default_library", "//pkg/security/podsecuritypolicy/util:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/validation:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/validation:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", @@ -32,9 +33,9 @@ go_test( deps = [ "//pkg/apis/core:go_default_library", "//pkg/apis/policy:go_default_library", - "//pkg/security/apparmor:go_default_library", "//pkg/security/podsecuritypolicy/seccomp:go_default_library", "//pkg/security/podsecuritypolicy/util:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/intstr:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", diff --git a/pkg/apis/policy/validation/validation.go b/pkg/apis/policy/validation/validation.go index 149ad6c3edf..35281eeadbe 100644 --- a/pkg/apis/policy/validation/validation.go +++ b/pkg/apis/policy/validation/validation.go @@ -22,6 +22,7 @@ import ( "regexp" "strings" + "k8s.io/api/core/v1" apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation" unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation" "k8s.io/apimachinery/pkg/util/sets" @@ -129,15 +130,15 @@ func ValidatePodSecurityPolicySpec(spec *policy.PodSecurityPolicySpec, fldPath * func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} - if p := annotations[apparmor.DefaultProfileAnnotationKey]; p != "" { + if p := annotations[v1.AppArmorBetaDefaultProfileAnnotationKey]; p != "" { if err := apparmor.ValidateProfileFormat(p); err != nil { - allErrs = append(allErrs, field.Invalid(fldPath.Key(apparmor.DefaultProfileAnnotationKey), p, err.Error())) + allErrs = append(allErrs, field.Invalid(fldPath.Key(v1.AppArmorBetaDefaultProfileAnnotationKey), p, err.Error())) } } - if allowed := annotations[apparmor.AllowedProfilesAnnotationKey]; allowed != "" { + if allowed := annotations[v1.AppArmorBetaAllowedProfilesAnnotationKey]; allowed != "" { for _, p := range strings.Split(allowed, ",") { if err := apparmor.ValidateProfileFormat(p); err != nil { - allErrs = append(allErrs, field.Invalid(fldPath.Key(apparmor.AllowedProfilesAnnotationKey), allowed, err.Error())) + allErrs = append(allErrs, field.Invalid(fldPath.Key(v1.AppArmorBetaAllowedProfilesAnnotationKey), allowed, err.Error())) } } } diff --git a/pkg/apis/policy/validation/validation_test.go b/pkg/apis/policy/validation/validation_test.go index 6de710c6295..4c5f68912b9 100644 --- a/pkg/apis/policy/validation/validation_test.go +++ b/pkg/apis/policy/validation/validation_test.go @@ -21,12 +21,12 @@ import ( "testing" "github.com/stretchr/testify/assert" + "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/validation/field" api "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/apis/policy" - "k8s.io/kubernetes/pkg/security/apparmor" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp" psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util" "k8s.io/utils/pointer" @@ -223,11 +223,11 @@ func TestValidatePodSecurityPolicy(t *testing.T) { invalidAppArmorDefault := validPSP() invalidAppArmorDefault.Annotations = map[string]string{ - apparmor.DefaultProfileAnnotationKey: "not-good", + v1.AppArmorBetaDefaultProfileAnnotationKey: "not-good", } invalidAppArmorAllowed := validPSP() invalidAppArmorAllowed.Annotations = map[string]string{ - apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + ",not-good", + v1.AppArmorBetaAllowedProfilesAnnotationKey: v1.AppArmorBetaProfileRuntimeDefault + ",not-good", } invalidAllowedUnsafeSysctlPattern := validPSP() @@ -521,8 +521,8 @@ func TestValidatePodSecurityPolicy(t *testing.T) { validAppArmor := validPSP() validAppArmor.Annotations = map[string]string{ - apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault, - apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + "," + apparmor.ProfileNamePrefix + "foo", + v1.AppArmorBetaDefaultProfileAnnotationKey: v1.AppArmorBetaProfileRuntimeDefault, + v1.AppArmorBetaAllowedProfilesAnnotationKey: v1.AppArmorBetaProfileRuntimeDefault + "," + v1.AppArmorBetaProfileNamePrefix + "foo", } withForbiddenSysctl := validPSP() diff --git a/pkg/kubelet/dockershim/BUILD b/pkg/kubelet/dockershim/BUILD index c3d42a1ff47..2ec3bfd14de 100644 --- a/pkg/kubelet/dockershim/BUILD +++ b/pkg/kubelet/dockershim/BUILD @@ -55,7 +55,6 @@ go_library( "//pkg/kubelet/types:go_default_library", "//pkg/kubelet/util/cache:go_default_library", "//pkg/kubelet/util/ioutils:go_default_library", - "//pkg/security/apparmor:go_default_library", "//pkg/util/parsers:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", @@ -111,7 +110,7 @@ go_test( "//pkg/kubelet/dockershim/network/testing:go_default_library", "//pkg/kubelet/types:go_default_library", "//pkg/kubelet/util/cache:go_default_library", - "//pkg/security/apparmor:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/clock:go_default_library", "//staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2:go_default_library", "//vendor/github.com/blang/semver:go_default_library", @@ -123,12 +122,6 @@ go_test( "//vendor/github.com/stretchr/testify/assert:go_default_library", "//vendor/github.com/stretchr/testify/require:go_default_library", ] + select({ - "@io_bazel_rules_go//go/platform:android": [ - "//staging/src/k8s.io/api/core/v1:go_default_library", - ], - "@io_bazel_rules_go//go/platform:linux": [ - "//staging/src/k8s.io/api/core/v1:go_default_library", - ], "@io_bazel_rules_go//go/platform:windows": [ "//vendor/golang.org/x/sys/windows/registry:go_default_library", ], diff --git a/pkg/kubelet/dockershim/helpers.go b/pkg/kubelet/dockershim/helpers.go index 9883d901261..c89db1a993a 100644 --- a/pkg/kubelet/dockershim/helpers.go +++ b/pkg/kubelet/dockershim/helpers.go @@ -31,12 +31,12 @@ import ( dockernat "github.com/docker/go-connections/nat" "k8s.io/klog" + "k8s.io/api/core/v1" utilerrors "k8s.io/apimachinery/pkg/util/errors" runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1alpha2" "k8s.io/kubernetes/pkg/credentialprovider" "k8s.io/kubernetes/pkg/kubelet/dockershim/libdocker" "k8s.io/kubernetes/pkg/kubelet/types" - "k8s.io/kubernetes/pkg/security/apparmor" "k8s.io/kubernetes/pkg/util/parsers" ) @@ -361,18 +361,18 @@ func ensureSandboxImageExists(client libdocker.Interface, image string) error { } func getAppArmorOpts(profile string) ([]dockerOpt, error) { - if profile == "" || profile == apparmor.ProfileRuntimeDefault { + if profile == "" || profile == v1.AppArmorBetaProfileRuntimeDefault { // The docker applies the default profile by default. return nil, nil } // Return unconfined profile explicitly - if profile == apparmor.ProfileNameUnconfined { - return []dockerOpt{{"apparmor", apparmor.ProfileNameUnconfined, ""}}, nil + if profile == v1.AppArmorBetaProfileNameUnconfined { + return []dockerOpt{{"apparmor", v1.AppArmorBetaProfileNameUnconfined, ""}}, nil } // Assume validation has already happened. - profileName := strings.TrimPrefix(profile, apparmor.ProfileNamePrefix) + profileName := strings.TrimPrefix(profile, v1.AppArmorBetaProfileNamePrefix) return []dockerOpt{{"apparmor", profileName, ""}}, nil } diff --git a/pkg/kubelet/dockershim/helpers_test.go b/pkg/kubelet/dockershim/helpers_test.go index 2597af61e4a..62c07a5c3e8 100644 --- a/pkg/kubelet/dockershim/helpers_test.go +++ b/pkg/kubelet/dockershim/helpers_test.go @@ -28,9 +28,9 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "k8s.io/api/core/v1" runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1alpha2" "k8s.io/kubernetes/pkg/kubelet/dockershim/libdocker" - "k8s.io/kubernetes/pkg/security/apparmor" ) func TestLabelsAndAnnotationsRoundTrip(t *testing.T) { @@ -66,7 +66,7 @@ func TestGetApparmorSecurityOpts(t *testing.T) { expectedOpts: []string{}, }, { msg: "AppArmor local profile", - config: makeConfig(apparmor.ProfileNamePrefix + "foo"), + config: makeConfig(v1.AppArmorBetaProfileNamePrefix + "foo"), expectedOpts: []string{"apparmor=foo"}, }} diff --git a/pkg/security/apparmor/helpers.go b/pkg/security/apparmor/helpers.go index 2c67ff57861..010710e904b 100644 --- a/pkg/security/apparmor/helpers.go +++ b/pkg/security/apparmor/helpers.go @@ -22,29 +22,11 @@ import ( "k8s.io/api/core/v1" ) -// TODO: Move these values into the API package. -const ( - // The prefix to an annotation key specifying a container profile. - ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/" - // The annotation key specifying the default AppArmor profile. - DefaultProfileAnnotationKey = "apparmor.security.beta.kubernetes.io/defaultProfileName" - // The annotation key specifying the allowed AppArmor profiles. - AllowedProfilesAnnotationKey = "apparmor.security.beta.kubernetes.io/allowedProfileNames" - - // The profile specifying the runtime default. - ProfileRuntimeDefault = "runtime/default" - // The prefix for specifying profiles loaded on the node. - ProfileNamePrefix = "localhost/" - - // Unconfined profile - ProfileNameUnconfined = "unconfined" -) - // Checks whether app armor is required for pod to be run. func isRequired(pod *v1.Pod) bool { for key, value := range pod.Annotations { - if strings.HasPrefix(key, ContainerAnnotationKeyPrefix) { - return value != ProfileNameUnconfined + if strings.HasPrefix(key, v1.AppArmorBetaContainerAnnotationKeyPrefix) { + return value != v1.AppArmorBetaProfileNameUnconfined } } return false @@ -58,7 +40,7 @@ func GetProfileName(pod *v1.Pod, containerName string) string { // GetProfileNameFromPodAnnotations gets the name of the profile to use with container from // pod annotations func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string { - return annotations[ContainerAnnotationKeyPrefix+containerName] + return annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+containerName] } // SetProfileName sets the name of the profile to use with the container. @@ -66,7 +48,7 @@ func SetProfileName(pod *v1.Pod, containerName, profileName string) error { if pod.Annotations == nil { pod.Annotations = map[string]string{} } - pod.Annotations[ContainerAnnotationKeyPrefix+containerName] = profileName + pod.Annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+containerName] = profileName return nil } @@ -75,6 +57,6 @@ func SetProfileNameFromPodAnnotations(annotations map[string]string, containerNa if annotations == nil { return nil } - annotations[ContainerAnnotationKeyPrefix+containerName] = profileName + annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+containerName] = profileName return nil } diff --git a/pkg/security/apparmor/validate.go b/pkg/security/apparmor/validate.go index f66ff1ce1f2..210ff99fe10 100644 --- a/pkg/security/apparmor/validate.go +++ b/pkg/security/apparmor/validate.go @@ -125,8 +125,8 @@ func validateProfile(profile string, loadedProfiles map[string]bool) error { return err } - if strings.HasPrefix(profile, ProfileNamePrefix) { - profileName := strings.TrimPrefix(profile, ProfileNamePrefix) + if strings.HasPrefix(profile, v1.AppArmorBetaProfileNamePrefix) { + profileName := strings.TrimPrefix(profile, v1.AppArmorBetaProfileNamePrefix) if !loadedProfiles[profileName] { return fmt.Errorf("profile %q is not loaded", profileName) } @@ -137,10 +137,10 @@ func validateProfile(profile string, loadedProfiles map[string]bool) error { // ValidateProfileFormat checks the format of the profile. func ValidateProfileFormat(profile string) error { - if profile == "" || profile == ProfileRuntimeDefault || profile == ProfileNameUnconfined { + if profile == "" || profile == v1.AppArmorBetaProfileRuntimeDefault || profile == v1.AppArmorBetaProfileNameUnconfined { return nil } - if !strings.HasPrefix(profile, ProfileNamePrefix) { + if !strings.HasPrefix(profile, v1.AppArmorBetaProfileNamePrefix) { return fmt.Errorf("invalid AppArmor profile name: %q", profile) } return nil diff --git a/pkg/security/apparmor/validate_test.go b/pkg/security/apparmor/validate_test.go index 6ec4ce6f1c3..f5aa3aa0af2 100644 --- a/pkg/security/apparmor/validate_test.go +++ b/pkg/security/apparmor/validate_test.go @@ -62,13 +62,13 @@ func TestValidateProfile(t *testing.T) { expectValid bool }{ {"", true}, - {ProfileRuntimeDefault, true}, - {ProfileNameUnconfined, true}, + {v1.AppArmorBetaProfileRuntimeDefault, true}, + {v1.AppArmorBetaProfileNameUnconfined, true}, {"baz", false}, // Missing local prefix. - {ProfileNamePrefix + "/usr/sbin/ntpd", true}, - {ProfileNamePrefix + "foo-bar", true}, - {ProfileNamePrefix + "unloaded", false}, // Not loaded. - {ProfileNamePrefix + "", false}, + {v1.AppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true}, + {v1.AppArmorBetaProfileNamePrefix + "foo-bar", true}, + {v1.AppArmorBetaProfileNamePrefix + "unloaded", false}, // Not loaded. + {v1.AppArmorBetaProfileNamePrefix + "", false}, } for _, test := range tests { @@ -92,8 +92,8 @@ func TestValidateBadHost(t *testing.T) { expectValid bool }{ {"", true}, - {ProfileRuntimeDefault, false}, - {ProfileNamePrefix + "docker-default", false}, + {v1.AppArmorBetaProfileRuntimeDefault, false}, + {v1.AppArmorBetaProfileNamePrefix + "docker-default", false}, } for _, test := range tests { @@ -116,13 +116,13 @@ func TestValidateValidHost(t *testing.T) { expectValid bool }{ {"", true}, - {ProfileRuntimeDefault, true}, - {ProfileNamePrefix + "docker-default", true}, - {ProfileNamePrefix + "foo-container", true}, - {ProfileNamePrefix + "/usr/sbin/ntpd", true}, + {v1.AppArmorBetaProfileRuntimeDefault, true}, + {v1.AppArmorBetaProfileNamePrefix + "docker-default", true}, + {v1.AppArmorBetaProfileNamePrefix + "foo-container", true}, + {v1.AppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true}, {"docker-default", false}, - {ProfileNamePrefix + "foo", false}, - {ProfileNamePrefix + "", false}, + {v1.AppArmorBetaProfileNamePrefix + "foo", false}, + {v1.AppArmorBetaProfileNamePrefix + "", false}, } for _, test := range tests { @@ -138,9 +138,9 @@ func TestValidateValidHost(t *testing.T) { pod := &v1.Pod{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - ContainerAnnotationKeyPrefix + "init": ProfileNamePrefix + "foo-container", - ContainerAnnotationKeyPrefix + "test1": ProfileRuntimeDefault, - ContainerAnnotationKeyPrefix + "test2": ProfileNamePrefix + "docker-default", + v1.AppArmorBetaContainerAnnotationKeyPrefix + "init": v1.AppArmorBetaProfileNamePrefix + "foo-container", + v1.AppArmorBetaContainerAnnotationKeyPrefix + "test1": v1.AppArmorBetaProfileRuntimeDefault, + v1.AppArmorBetaContainerAnnotationKeyPrefix + "test2": v1.AppArmorBetaProfileNamePrefix + "docker-default", }, }, Spec: v1.PodSpec{ @@ -176,7 +176,7 @@ func TestParseProfileName(t *testing.T) { func getPodWithProfile(profile string) *v1.Pod { annotations := map[string]string{ - ContainerAnnotationKeyPrefix + "test": profile, + v1.AppArmorBetaContainerAnnotationKeyPrefix + "test": profile, } if profile == "" { annotations = map[string]string{ diff --git a/pkg/security/podsecuritypolicy/apparmor/BUILD b/pkg/security/podsecuritypolicy/apparmor/BUILD index e88c89af2dc..06297479ae0 100644 --- a/pkg/security/podsecuritypolicy/apparmor/BUILD +++ b/pkg/security/podsecuritypolicy/apparmor/BUILD @@ -14,6 +14,7 @@ go_library( "//pkg/apis/core:go_default_library", "//pkg/security/apparmor:go_default_library", "//pkg/util/maps:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", ], ) @@ -24,8 +25,8 @@ go_test( embed = [":go_default_library"], deps = [ "//pkg/apis/core:go_default_library", - "//pkg/security/apparmor:go_default_library", "//pkg/util/maps:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/github.com/davecgh/go-spew/spew:go_default_library", "//vendor/github.com/stretchr/testify/assert:go_default_library", diff --git a/pkg/security/podsecuritypolicy/apparmor/strategy.go b/pkg/security/podsecuritypolicy/apparmor/strategy.go index 9f6affdd2b3..31a06c9198c 100644 --- a/pkg/security/podsecuritypolicy/apparmor/strategy.go +++ b/pkg/security/podsecuritypolicy/apparmor/strategy.go @@ -20,6 +20,7 @@ import ( "fmt" "strings" + "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/validation/field" api "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/security/apparmor" @@ -47,7 +48,7 @@ var _ Strategy = &strategy{} // NewStrategy creates a new strategy that enforces AppArmor profile constraints. func NewStrategy(pspAnnotations map[string]string) Strategy { var allowedProfiles map[string]bool - if allowed, ok := pspAnnotations[apparmor.AllowedProfilesAnnotationKey]; ok { + if allowed, ok := pspAnnotations[v1.AppArmorBetaAllowedProfilesAnnotationKey]; ok { profiles := strings.Split(allowed, ",") allowedProfiles = make(map[string]bool, len(profiles)) for _, p := range profiles { @@ -55,16 +56,16 @@ func NewStrategy(pspAnnotations map[string]string) Strategy { } } return &strategy{ - defaultProfile: pspAnnotations[apparmor.DefaultProfileAnnotationKey], + defaultProfile: pspAnnotations[v1.AppArmorBetaDefaultProfileAnnotationKey], allowedProfiles: allowedProfiles, - allowedProfilesString: pspAnnotations[apparmor.AllowedProfilesAnnotationKey], + allowedProfilesString: pspAnnotations[v1.AppArmorBetaAllowedProfilesAnnotationKey], } } func (s *strategy) Generate(annotations map[string]string, container *api.Container) (map[string]string, error) { copy := maps.CopySS(annotations) - if annotations[apparmor.ContainerAnnotationKeyPrefix+container.Name] != "" { + if annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+container.Name] != "" { // Profile already set, nothing to do. return copy, nil } @@ -78,7 +79,7 @@ func (s *strategy) Generate(annotations map[string]string, container *api.Contai copy = map[string]string{} } // Add the default profile. - copy[apparmor.ContainerAnnotationKeyPrefix+container.Name] = s.defaultProfile + copy[v1.AppArmorBetaContainerAnnotationKeyPrefix+container.Name] = s.defaultProfile return copy, nil } @@ -90,7 +91,7 @@ func (s *strategy) Validate(pod *api.Pod, container *api.Container) field.ErrorL } allErrs := field.ErrorList{} - fieldPath := field.NewPath("pod", "metadata", "annotations").Key(apparmor.ContainerAnnotationKeyPrefix + container.Name) + fieldPath := field.NewPath("pod", "metadata", "annotations").Key(v1.AppArmorBetaContainerAnnotationKeyPrefix + container.Name) profile := apparmor.GetProfileNameFromPodAnnotations(pod.Annotations, container.Name) if profile == "" { diff --git a/pkg/security/podsecuritypolicy/apparmor/strategy_test.go b/pkg/security/podsecuritypolicy/apparmor/strategy_test.go index ac4edc448e3..c1f8a3aa6a3 100644 --- a/pkg/security/podsecuritypolicy/apparmor/strategy_test.go +++ b/pkg/security/podsecuritypolicy/apparmor/strategy_test.go @@ -22,9 +22,9 @@ import ( "github.com/davecgh/go-spew/spew" "github.com/stretchr/testify/assert" + "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/security/apparmor" "k8s.io/kubernetes/pkg/util/maps" ) @@ -36,29 +36,29 @@ var ( withoutAppArmor = map[string]string{"foo": "bar"} withDefault = map[string]string{ "foo": "bar", - apparmor.ContainerAnnotationKeyPrefix + containerName: apparmor.ProfileRuntimeDefault, + v1.AppArmorBetaContainerAnnotationKeyPrefix + containerName: v1.AppArmorBetaProfileRuntimeDefault, } withLocal = map[string]string{ "foo": "bar", - apparmor.ContainerAnnotationKeyPrefix + containerName: apparmor.ProfileNamePrefix + "foo", + v1.AppArmorBetaContainerAnnotationKeyPrefix + containerName: v1.AppArmorBetaProfileNamePrefix + "foo", } withDisallowed = map[string]string{ "foo": "bar", - apparmor.ContainerAnnotationKeyPrefix + containerName: apparmor.ProfileNamePrefix + "bad", + v1.AppArmorBetaContainerAnnotationKeyPrefix + containerName: v1.AppArmorBetaProfileNamePrefix + "bad", } noAppArmor = map[string]string{"foo": "bar"} unconstrainedWithDefault = map[string]string{ - apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault, + v1.AppArmorBetaDefaultProfileAnnotationKey: v1.AppArmorBetaProfileRuntimeDefault, } constrained = map[string]string{ - apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + "," + - apparmor.ProfileNamePrefix + "foo", + v1.AppArmorBetaAllowedProfilesAnnotationKey: v1.AppArmorBetaProfileRuntimeDefault + "," + + v1.AppArmorBetaProfileNamePrefix + "foo", } constrainedWithDefault = map[string]string{ - apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault, - apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + "," + - apparmor.ProfileNamePrefix + "foo", + v1.AppArmorBetaDefaultProfileAnnotationKey: v1.AppArmorBetaProfileRuntimeDefault, + v1.AppArmorBetaAllowedProfilesAnnotationKey: v1.AppArmorBetaProfileRuntimeDefault + "," + + v1.AppArmorBetaProfileNamePrefix + "foo", } container = api.Container{ diff --git a/pkg/security/podsecuritypolicy/provider_test.go b/pkg/security/podsecuritypolicy/provider_test.go index 0f6d56412ed..f4e89f7ebb1 100644 --- a/pkg/security/podsecuritypolicy/provider_test.go +++ b/pkg/security/podsecuritypolicy/provider_test.go @@ -546,13 +546,13 @@ func TestValidateContainerFailures(t *testing.T) { failNilAppArmorPod := defaultPod() v1FailInvalidAppArmorPod := defaultV1Pod() - apparmor.SetProfileName(v1FailInvalidAppArmorPod, defaultContainerName, apparmor.ProfileNamePrefix+"foo") + apparmor.SetProfileName(v1FailInvalidAppArmorPod, defaultContainerName, v1.AppArmorBetaProfileNamePrefix+"foo") failInvalidAppArmorPod := &api.Pod{} k8s_api_v1.Convert_v1_Pod_To_core_Pod(v1FailInvalidAppArmorPod, failInvalidAppArmorPod, nil) failAppArmorPSP := defaultPSP() failAppArmorPSP.Annotations = map[string]string{ - apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault, + v1.AppArmorBetaAllowedProfilesAnnotationKey: v1.AppArmorBetaProfileRuntimeDefault, } failPrivPod := defaultPod() @@ -1033,10 +1033,10 @@ func TestValidateContainerSuccess(t *testing.T) { appArmorPSP := defaultPSP() appArmorPSP.Annotations = map[string]string{ - apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault, + v1.AppArmorBetaAllowedProfilesAnnotationKey: v1.AppArmorBetaProfileRuntimeDefault, } v1AppArmorPod := defaultV1Pod() - apparmor.SetProfileName(v1AppArmorPod, defaultContainerName, apparmor.ProfileRuntimeDefault) + apparmor.SetProfileName(v1AppArmorPod, defaultContainerName, v1.AppArmorBetaProfileRuntimeDefault) appArmorPod := &api.Pod{} k8s_api_v1.Convert_v1_Pod_To_core_Pod(v1AppArmorPod, appArmorPod, nil) diff --git a/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go b/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go index eb9519499a9..27993988d73 100644 --- a/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go +++ b/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go @@ -1115,16 +1115,16 @@ func TestAdmitAppArmor(t *testing.T) { unconstrainedPSP := restrictivePSP() defaultedPSP := restrictivePSP() defaultedPSP.Annotations = map[string]string{ - apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault, + v1.AppArmorBetaDefaultProfileAnnotationKey: v1.AppArmorBetaProfileRuntimeDefault, } appArmorPSP := restrictivePSP() appArmorPSP.Annotations = map[string]string{ - apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault, + v1.AppArmorBetaAllowedProfilesAnnotationKey: v1.AppArmorBetaProfileRuntimeDefault, } appArmorDefaultPSP := restrictivePSP() appArmorDefaultPSP.Annotations = map[string]string{ - apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault, - apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + "," + apparmor.ProfileNamePrefix + "foo", + v1.AppArmorBetaDefaultProfileAnnotationKey: v1.AppArmorBetaProfileRuntimeDefault, + v1.AppArmorBetaAllowedProfilesAnnotationKey: v1.AppArmorBetaProfileRuntimeDefault + "," + v1.AppArmorBetaProfileNamePrefix + "foo", } tests := map[string]struct { @@ -1142,18 +1142,18 @@ func TestAdmitAppArmor(t *testing.T) { expectedProfile: "", }, "unconstrained with profile": { - pod: createPodWithAppArmor(apparmor.ProfileRuntimeDefault), + pod: createPodWithAppArmor(v1.AppArmorBetaProfileRuntimeDefault), psp: unconstrainedPSP, shouldPassAdmit: true, shouldPassValidate: true, - expectedProfile: apparmor.ProfileRuntimeDefault, + expectedProfile: v1.AppArmorBetaProfileRuntimeDefault, }, "unconstrained with default profile": { pod: goodPod(), psp: defaultedPSP, shouldPassAdmit: true, shouldPassValidate: true, - expectedProfile: apparmor.ProfileRuntimeDefault, + expectedProfile: v1.AppArmorBetaProfileRuntimeDefault, }, "AppArmor enforced with no profile": { pod: goodPod(), @@ -1166,17 +1166,17 @@ func TestAdmitAppArmor(t *testing.T) { psp: appArmorDefaultPSP, shouldPassAdmit: true, shouldPassValidate: true, - expectedProfile: apparmor.ProfileRuntimeDefault, + expectedProfile: v1.AppArmorBetaProfileRuntimeDefault, }, "AppArmor enforced with good profile": { - pod: createPodWithAppArmor(apparmor.ProfileNamePrefix + "foo"), + pod: createPodWithAppArmor(v1.AppArmorBetaProfileNamePrefix + "foo"), psp: appArmorDefaultPSP, shouldPassAdmit: true, shouldPassValidate: true, - expectedProfile: apparmor.ProfileNamePrefix + "foo", + expectedProfile: v1.AppArmorBetaProfileNamePrefix + "foo", }, "AppArmor enforced with local profile": { - pod: createPodWithAppArmor(apparmor.ProfileNamePrefix + "bar"), + pod: createPodWithAppArmor(v1.AppArmorBetaProfileNamePrefix + "bar"), psp: appArmorPSP, shouldPassAdmit: false, shouldPassValidate: false, diff --git a/staging/src/k8s.io/api/core/v1/annotation_key_constants.go b/staging/src/k8s.io/api/core/v1/annotation_key_constants.go index edc9b4d6008..14f9ab96529 100644 --- a/staging/src/k8s.io/api/core/v1/annotation_key_constants.go +++ b/staging/src/k8s.io/api/core/v1/annotation_key_constants.go @@ -48,6 +48,22 @@ const ( // SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime. SeccompProfileRuntimeDefault string = "runtime/default" + // AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile. + AppArmorBetaContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/" + // AppArmorBetaDefaultProfileAnnotatoinKey is the annotation key specifying the default AppArmor profile. + AppArmorBetaDefaultProfileAnnotationKey = "apparmor.security.beta.kubernetes.io/defaultProfileName" + // AppArmorBetaAllowedProfileAnnotationKey is the annotation key specifying the allowed AppArmor profiles. + AppArmorBetaAllowedProfilesAnnotationKey = "apparmor.security.beta.kubernetes.io/allowedProfileNames" + + // AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default. + AppArmorBetaProfileRuntimeDefault = "runtime/default" + + // AppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node. + AppArmorBetaProfileNamePrefix = "localhost/" + + // AppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile + AppArmorBetaProfileNameUnconfined = "unconfined" + // DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker. // This is now deprecated and should be replaced by SeccompProfileRuntimeDefault. DeprecatedSeccompProfileDockerDefault string = "docker/default" diff --git a/test/e2e/auth/BUILD b/test/e2e/auth/BUILD index daa7616719e..d7e53155b88 100644 --- a/test/e2e/auth/BUILD +++ b/test/e2e/auth/BUILD @@ -17,7 +17,6 @@ go_library( visibility = ["//visibility:public"], deps = [ "//pkg/master/ports:go_default_library", - "//pkg/security/apparmor:go_default_library", "//pkg/security/podsecuritypolicy/seccomp:go_default_library", "//pkg/security/podsecuritypolicy/util:go_default_library", "//plugin/pkg/admission/serviceaccount:go_default_library", diff --git a/test/e2e/auth/pod_security_policy.go b/test/e2e/auth/pod_security_policy.go index b0b3eb8f09a..70c363f1932 100644 --- a/test/e2e/auth/pod_security_policy.go +++ b/test/e2e/auth/pod_security_policy.go @@ -29,7 +29,6 @@ import ( "k8s.io/apiserver/pkg/authentication/serviceaccount" clientset "k8s.io/client-go/kubernetes" restclient "k8s.io/client-go/rest" - "k8s.io/kubernetes/pkg/security/apparmor" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp" psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util" "k8s.io/kubernetes/test/e2e/framework" @@ -173,7 +172,7 @@ func testPrivilegedPods(tester func(pod *v1.Pod)) { ginkgo.By("Running a custom AppArmor profile pod", func() { aa := restrictedPod("apparmor") // Every node is expected to have the docker-default profile. - aa.Annotations[apparmor.ContainerAnnotationKeyPrefix+"pause"] = "localhost/docker-default" + aa.Annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+"pause"] = "localhost/docker-default" tester(aa) }) } @@ -256,8 +255,8 @@ func restrictedPod(name string) *v1.Pod { ObjectMeta: metav1.ObjectMeta{ Name: name, Annotations: map[string]string{ - v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault, - apparmor.ContainerAnnotationKeyPrefix + "pause": apparmor.ProfileRuntimeDefault, + v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault, + v1.AppArmorBetaContainerAnnotationKeyPrefix + "pause": v1.AppArmorBetaProfileRuntimeDefault, }, }, Spec: v1.PodSpec{ @@ -316,10 +315,10 @@ func restrictedPSP(name string) *policyv1beta1.PodSecurityPolicy { ObjectMeta: metav1.ObjectMeta{ Name: name, Annotations: map[string]string{ - seccomp.AllowedProfilesAnnotationKey: v1.SeccompProfileRuntimeDefault, - seccomp.DefaultProfileAnnotationKey: v1.SeccompProfileRuntimeDefault, - apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault, - apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault, + seccomp.AllowedProfilesAnnotationKey: v1.SeccompProfileRuntimeDefault, + seccomp.DefaultProfileAnnotationKey: v1.SeccompProfileRuntimeDefault, + v1.AppArmorBetaAllowedProfilesAnnotationKey: v1.AppArmorBetaProfileRuntimeDefault, + v1.AppArmorBetaDefaultProfileAnnotationKey: v1.AppArmorBetaProfileRuntimeDefault, }, }, Spec: policyv1beta1.PodSecurityPolicySpec{ diff --git a/test/e2e/framework/security/apparmor.go b/test/e2e/framework/security/apparmor.go index fbeb0f7d5d6..1eeeca35a82 100644 --- a/test/e2e/framework/security/apparmor.go +++ b/test/e2e/framework/security/apparmor.go @@ -36,14 +36,6 @@ const ( loaderLabelKey = "name" loaderLabelValue = "e2e-apparmor-loader" - - // TODO: import this from the k8s.io/api once it's moved there (ref: https://github.com/kubernetes/kubernetes/pull/89198) - // Unconfined profile - profileNameUnconfined = "unconfined" - - // TODO: import this from the k8s.io/api once it's moved there (ref: https://github.com/kubernetes/kubernetes/pull/89198) - // The prefix to an annotation key specifying a container profile. - containerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/" ) // LoadAppArmorProfiles creates apparmor-profiles ConfigMap and apparmor-loader ReplicationController. @@ -71,7 +63,7 @@ elif [[ $(< /proc/self/attr/current) != "%[3]s" ]]; then fi`, appArmorDeniedPath, appArmorAllowedPath, appArmorProfilePrefix+nsName) if unconfined { - profile = profileNameUnconfined + profile = v1.AppArmorBetaProfileNameUnconfined testCmd = ` if cat /proc/sysrq-trigger 2>&1 | grep 'Permission denied'; then echo 'FAILURE: reading /proc/sysrq-trigger should be allowed' @@ -105,7 +97,7 @@ done`, testCmd) ObjectMeta: metav1.ObjectMeta{ GenerateName: "test-apparmor-", Annotations: map[string]string{ - containerAnnotationKeyPrefix + "test": profile, + v1.AppArmorBetaContainerAnnotationKeyPrefix + "test": profile, }, Labels: map[string]string{ "test": "apparmor", diff --git a/test/e2e_node/apparmor_test.go b/test/e2e_node/apparmor_test.go index 62d89877737..7dd5f63a8eb 100644 --- a/test/e2e_node/apparmor_test.go +++ b/test/e2e_node/apparmor_test.go @@ -53,11 +53,11 @@ var _ = framework.KubeDescribe("AppArmor [Feature:AppArmor][NodeFeature:AppArmor f := framework.NewDefaultFramework("apparmor-test") ginkgo.It("should reject an unloaded profile", func() { - status := runAppArmorTest(f, false, apparmor.ProfileNamePrefix+"non-existent-profile") + status := runAppArmorTest(f, false, v1.AppArmorBetaProfileNamePrefix+"non-existent-profile") expectSoftRejection(status) }) ginkgo.It("should enforce a profile blocking writes", func() { - status := runAppArmorTest(f, true, apparmor.ProfileNamePrefix+apparmorProfilePrefix+"deny-write") + status := runAppArmorTest(f, true, v1.AppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"deny-write") if len(status.ContainerStatuses) == 0 { framework.Failf("Unexpected pod status: %s", spew.Sdump(status)) return @@ -68,7 +68,7 @@ var _ = framework.KubeDescribe("AppArmor [Feature:AppArmor][NodeFeature:AppArmor }) ginkgo.It("should enforce a permissive profile", func() { - status := runAppArmorTest(f, true, apparmor.ProfileNamePrefix+apparmorProfilePrefix+"audit-write") + status := runAppArmorTest(f, true, v1.AppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"audit-write") if len(status.ContainerStatuses) == 0 { framework.Failf("Unexpected pod status: %s", spew.Sdump(status)) return @@ -83,7 +83,7 @@ var _ = framework.KubeDescribe("AppArmor [Feature:AppArmor][NodeFeature:AppArmor f := framework.NewDefaultFramework("apparmor-test") ginkgo.It("should reject a pod with an AppArmor profile", func() { - status := runAppArmorTest(f, false, apparmor.ProfileRuntimeDefault) + status := runAppArmorTest(f, false, v1.AppArmorBetaProfileRuntimeDefault) expectSoftRejection(status) }) }) @@ -180,7 +180,7 @@ func createPodWithAppArmor(f *framework.Framework, profile string) *v1.Pod { ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("test-apparmor-%s", strings.Replace(profile, "/", "-", -1)), Annotations: map[string]string{ - apparmor.ContainerAnnotationKeyPrefix + "test": profile, + v1.AppArmorBetaContainerAnnotationKeyPrefix + "test": profile, }, }, Spec: v1.PodSpec{