Merge pull request #107426 from yanghesong/remove_validate_runtime

Remove runtime in validate
2025-07-22 19:31:44 +00:00 · 2022-01-11 20:50:36 -08:00 · 2022-01-11 20:50:36 -08:00 · b5103f6117
commit b5103f6117
parent 68e64ba52e b4f6eb681c
3 changed files with 5 additions and 12 deletions
--- a/pkg/kubelet/kubelet.go
+++ b/pkg/kubelet/kubelet.go
@ -834,7 +834,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,

 	if sysruntime.GOOS == "linux" {
 		// AppArmor is a Linux kernel security module and it does not support other operating systems.
-		klet.appArmorValidator = apparmor.NewValidator(containerRuntime)
+		klet.appArmorValidator = apparmor.NewValidator()
 		klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewAppArmorAdmitHandler(klet.appArmorValidator))
 	}
 	klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewNoNewPrivsAdmitHandler(klet.containerRuntime))
--- a/pkg/security/apparmor/validate.go
+++ b/pkg/security/apparmor/validate.go
@ -29,7 +29,6 @@ import (
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	"k8s.io/kubernetes/pkg/features"
-	kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
 	utilpath "k8s.io/utils/path"
 )

@ -44,8 +43,8 @@ type Validator interface {
 }

 // NewValidator is in order to find AppArmor FS
-func NewValidator(runtime string) Validator {
-	if err := validateHost(runtime); err != nil {
+func NewValidator() Validator {
+	if err := validateHost(); err != nil {
 		return &validator{validateHostErr: err}
 	}
 	appArmorFS, err := getAppArmorFS()
@ -90,7 +89,7 @@ func (v *validator) ValidateHost() error {
 }

 // Verify that the host and runtime is capable of enforcing AppArmor profiles.
-func validateHost(runtime string) error {
+func validateHost() error {
 	// Check feature-gates
 	if !utilfeature.DefaultFeatureGate.Enabled(features.AppArmor) {
 		return errors.New("AppArmor disabled by feature-gate")
@ -106,11 +105,6 @@ func validateHost(runtime string) error {
 		return errors.New("AppArmor is not enabled on the host")
 	}

-	// Check runtime support. Currently only Docker is supported.
-	if runtime != kubetypes.DockerContainerRuntime && runtime != kubetypes.RemoteContainerRuntime {
-		return fmt.Errorf("AppArmor is only enabled for 'docker' and 'remote' runtimes. Found: %q", runtime)
-	}
-
 	return nil
 }

--- a/pkg/security/apparmor/validate_test.go
+++ b/pkg/security/apparmor/validate_test.go
@ -43,8 +43,7 @@ func TestValidateHost(t *testing.T) {
 	// The test should be manually run if modifying the getAppArmorFS function.
 	t.Skip()

-	assert.NoError(t, validateHost("docker"))
-	assert.Error(t, validateHost("rkt"))
+	assert.NoError(t, validateHost())
 }

 func TestValidateProfileFormat(t *testing.T) {