github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2026-01-30 05:43:58 +00:00
Code Issues Projects Releases Wiki Activity

Move /seccomp/ into domain prefix in seccomp annotations

Browse Source 
Double slashes are not allowed in annotation keys. Moreover, using the 63
characters of the name component in an annotation key will shorted the space
for the container name.
This commit is contained in:
Dr. Stefan Schimanski
2016-06-02 15:44:57 +02:00
parent 6460b34128
commit ad6bd78007
3 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/kubelet/dockertools/manager.go
View File

@@ -993,10 +993,10 @@ func (dm *DockerManager) getSecurityOpt(pod *api.Pod, ctrName string) ([]string,
return nil, nil
}
profile, profileOK := pod.ObjectMeta.Annotations["security.alpha.kubernetes.io/seccomp/container/"+ctrName]
profile, profileOK := pod.ObjectMeta.Annotations["container.seccomp.security.alpha.kubernetes.io/"+ctrName]
if !profileOK {
// try the pod profile
profile, profileOK = pod.ObjectMeta.Annotations["security.alpha.kubernetes.io/seccomp/pod"]
profile, profileOK = pod.ObjectMeta.Annotations["seccomp.security.alpha.kubernetes.io/pod"]
if !profileOK {
// return early the default
return defaultSecurityOpt, nil

8
pkg/kubelet/dockertools/manager_test.go
View File

@@ -1762,7 +1762,7 @@ func TestUnconfinedSeccompProfileWithDockerV110(t *testing.T) {
Name: "foo4",
Namespace: "new",
Annotations: map[string]string{
"security.alpha.kubernetes.io/seccomp/pod": "unconfined",
"seccomp.security.alpha.kubernetes.io/pod": "unconfined",
},
},
Spec: api.PodSpec{
@@ -1804,7 +1804,7 @@ func TestDefaultSeccompProfileWithDockerV110(t *testing.T) {
Name: "foo1",
Namespace: "new",
Annotations: map[string]string{
"security.alpha.kubernetes.io/seccomp/pod": "docker/default",
"seccomp.security.alpha.kubernetes.io/pod": "docker/default",
},
},
Spec: api.PodSpec{
@@ -1846,8 +1846,8 @@ func TestSeccompContainerAnnotationTrumpsPod(t *testing.T) {
Name: "foo2",
Namespace: "new",
Annotations: map[string]string{
"security.alpha.kubernetes.io/seccomp/pod": "unconfined",
"security.alpha.kubernetes.io/seccomp/container/bar2": "docker/default",
"seccomp.security.alpha.kubernetes.io/pod": "unconfined",
"container.seccomp.security.alpha.kubernetes.io/bar2": "docker/default",
},
},
Spec: api.PodSpec{