github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-11 13:02:14 +00:00
Code Issues Projects Releases Wiki Activity

Add AppArmor feature gate

Browse Source
This commit is contained in:
Tim St. Clair 2016-08-25 17:40:18 -07:00
parent 75fba4c953
commit 9bde6f0770
No known key found for this signature in database
GPG Key ID: 434D16BCEF479EAB
3 changed files with 25 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
pkg/api/validation/validation.go
View File

@ -38,6 +38,7 @@ import (
"k8s.io/kubernetes/pkg/capabilities" "k8s.io/kubernetes/pkg/capabilities"
"k8s.io/kubernetes/pkg/labels" "k8s.io/kubernetes/pkg/labels"
"k8s.io/kubernetes/pkg/security/apparmor" "k8s.io/kubernetes/pkg/security/apparmor"
utilconfig "k8s.io/kubernetes/pkg/util/config"
"k8s.io/kubernetes/pkg/util/intstr" "k8s.io/kubernetes/pkg/util/intstr"
"k8s.io/kubernetes/pkg/util/sets" "k8s.io/kubernetes/pkg/util/sets"
"k8s.io/kubernetes/pkg/util/validation" "k8s.io/kubernetes/pkg/util/validation"
@ -2119,13 +2120,17 @@ func ValidateAppArmorPodAnnotations(annotations map[string]string, spec *api.Pod
if !strings.HasPrefix(k, apparmor.ContainerAnnotationKeyPrefix) { if !strings.HasPrefix(k, apparmor.ContainerAnnotationKeyPrefix) {
continue continue
} }
if !utilconfig.DefaultFeatureGate.AppArmor() {
allErrs = append(allErrs, field.Forbidden(fldPath.Key(k), "AppArmor is disabled by feature-gate"))
continue
}
containerName := strings.TrimPrefix(k, apparmor.ContainerAnnotationKeyPrefix) containerName := strings.TrimPrefix(k, apparmor.ContainerAnnotationKeyPrefix)
if !podSpecHasContainer(spec, containerName) { if !podSpecHasContainer(spec, containerName) {
allErrs = append(allErrs, field.Invalid(fldPath.Child(k), containerName, "container not found")) allErrs = append(allErrs, field.Invalid(fldPath.Key(k), containerName, "container not found"))
} }
if err := apparmor.ValidateProfileFormat(p); err != nil { if err := apparmor.ValidateProfileFormat(p); err != nil {
allErrs = append(allErrs, field.Invalid(fldPath.Child(k), p, err.Error())) allErrs = append(allErrs, field.Invalid(fldPath.Key(k), p, err.Error()))
} }
} }

8
pkg/security/apparmor/validate.go
View File

@ -27,6 +27,7 @@ import (
"k8s.io/kubernetes/pkg/api" "k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/util" "k8s.io/kubernetes/pkg/util"
utilconfig "k8s.io/kubernetes/pkg/util/config"
) )
// Whether AppArmor should be disabled by default. // Whether AppArmor should be disabled by default.
@ -88,9 +89,14 @@ func (v *validator) Validate(pod *api.Pod) error {
// Verify that the host and runtime is capable of enforcing AppArmor profiles. // Verify that the host and runtime is capable of enforcing AppArmor profiles.
func validateHost(runtime string) error { func validateHost(runtime string) error {
// Check feature-gates
if !utilconfig.DefaultFeatureGate.AppArmor() {
return errors.New("AppArmor disabled by feature-gate")
}
// Check build support. // Check build support.
if isDisabledBuild { if isDisabledBuild {
return errors.New("Binary not compiled for linux.") return errors.New("Binary not compiled for linux")
} }
// Check kernel support. // Check kernel support.

12
pkg/util/config/feature_gate.go
View File

@ -39,9 +39,9 @@ const (
// AllAlpha=true,NewFeature=false will result in newFeature=false // AllAlpha=true,NewFeature=false will result in newFeature=false
allAlphaGate = "AllAlpha" allAlphaGate = "AllAlpha"
externalTrafficLocalOnly = "AllowExtTrafficLocalEndpoints" externalTrafficLocalOnly = "AllowExtTrafficLocalEndpoints"
appArmor = "AppArmor"
dynamicKubeletConfig = "DynamicKubeletConfig" dynamicKubeletConfig = "DynamicKubeletConfig"
dynamicVolumeProvisioning = "DynamicVolumeProvisioning" dynamicVolumeProvisioning = "DynamicVolumeProvisioning"
// TODO: Define gate/accessor for AppArmor
) )
var ( var (
@ -50,6 +50,7 @@ var (
knownFeatures = map[string]featureSpec{ knownFeatures = map[string]featureSpec{
allAlphaGate: {false, alpha}, allAlphaGate: {false, alpha},
externalTrafficLocalOnly: {false, alpha}, externalTrafficLocalOnly: {false, alpha},
appArmor: {true, alpha},
dynamicKubeletConfig: {false, alpha}, dynamicKubeletConfig: {false, alpha},
dynamicVolumeProvisioning: {true, alpha}, dynamicVolumeProvisioning: {true, alpha},
} }
@ -91,6 +92,10 @@ type FeatureGate interface {
// // alpha: v1.4 // // alpha: v1.4
// MyFeature() bool // MyFeature() bool
// owner: @timstclair
// alpha: v1.4
AppArmor() bool
// owner: @girishkalele // owner: @girishkalele
// alpha: v1.4 // alpha: v1.4
ExternalTrafficLocalOnly() bool ExternalTrafficLocalOnly() bool
@ -175,6 +180,11 @@ func (f *featureGate) ExternalTrafficLocalOnly() bool {
return f.lookup(externalTrafficLocalOnly) return f.lookup(externalTrafficLocalOnly)
} }
// AppArmor returns the value for the AppArmor feature gate.
func (f *featureGate) AppArmor() bool {
return f.lookup(appArmor)
}
// DynamicKubeletConfig returns value for dynamicKubeletConfig // DynamicKubeletConfig returns value for dynamicKubeletConfig
func (f *featureGate) DynamicKubeletConfig() bool { func (f *featureGate) DynamicKubeletConfig() bool {
return f.lookup(dynamicKubeletConfig) return f.lookup(dynamicKubeletConfig)