From 6905fef761f187e96f2877c4936a74c9e8aa3757 Mon Sep 17 00:00:00 2001 From: yanghesong Date: Sun, 9 Jan 2022 09:11:49 +0800 Subject: [PATCH 1/2] Remove runtime in validate Validate is useless as dockershim is removed Signed-off-by: yanghesong --- pkg/kubelet/kubelet.go | 2 +- pkg/security/apparmor/validate.go | 14 ++++---------- pkg/security/apparmor/validate_test.go | 3 +-- 3 files changed, 6 insertions(+), 13 deletions(-) diff --git a/pkg/kubelet/kubelet.go b/pkg/kubelet/kubelet.go index 3369e11cb95..99af5a1bfa1 100644 --- a/pkg/kubelet/kubelet.go +++ b/pkg/kubelet/kubelet.go @@ -831,7 +831,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration, if sysruntime.GOOS == "linux" { // AppArmor is a Linux kernel security module and it does not support other operating systems. - klet.appArmorValidator = apparmor.NewValidator(containerRuntime) + klet.appArmorValidator = apparmor.NewValidator() klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewAppArmorAdmitHandler(klet.appArmorValidator)) } klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewNoNewPrivsAdmitHandler(klet.containerRuntime)) diff --git a/pkg/security/apparmor/validate.go b/pkg/security/apparmor/validate.go index 370af602df4..fe52b5f9a75 100644 --- a/pkg/security/apparmor/validate.go +++ b/pkg/security/apparmor/validate.go @@ -1,4 +1,4 @@ -/* +/*/* Copyright 2016 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); @@ -29,7 +29,6 @@ import ( utilfeature "k8s.io/apiserver/pkg/util/feature" podutil "k8s.io/kubernetes/pkg/api/v1/pod" "k8s.io/kubernetes/pkg/features" - kubetypes "k8s.io/kubernetes/pkg/kubelet/types" utilpath "k8s.io/utils/path" ) @@ -44,8 +43,8 @@ type Validator interface { } // NewValidator is in order to find AppArmor FS -func NewValidator(runtime string) Validator { - if err := validateHost(runtime); err != nil { +func NewValidator() Validator { + if err := validateHost(); err != nil { return &validator{validateHostErr: err} } appArmorFS, err := getAppArmorFS() @@ -90,7 +89,7 @@ func (v *validator) ValidateHost() error { } // Verify that the host and runtime is capable of enforcing AppArmor profiles. -func validateHost(runtime string) error { +func validateHost() error { // Check feature-gates if !utilfeature.DefaultFeatureGate.Enabled(features.AppArmor) { return errors.New("AppArmor disabled by feature-gate") @@ -106,11 +105,6 @@ func validateHost(runtime string) error { return errors.New("AppArmor is not enabled on the host") } - // Check runtime support. Currently only Docker is supported. - if runtime != kubetypes.DockerContainerRuntime && runtime != kubetypes.RemoteContainerRuntime { - return fmt.Errorf("AppArmor is only enabled for 'docker' and 'remote' runtimes. Found: %q", runtime) - } - return nil } diff --git a/pkg/security/apparmor/validate_test.go b/pkg/security/apparmor/validate_test.go index 65ab4e4f4f6..03b4a487f47 100644 --- a/pkg/security/apparmor/validate_test.go +++ b/pkg/security/apparmor/validate_test.go @@ -43,8 +43,7 @@ func TestValidateHost(t *testing.T) { // The test should be manually run if modifying the getAppArmorFS function. t.Skip() - assert.NoError(t, validateHost("docker")) - assert.Error(t, validateHost("rkt")) + assert.NoError(t, validateHost()) } func TestValidateProfileFormat(t *testing.T) { From b4f6eb681cb0aca9ed0f598a59821032ddc14774 Mon Sep 17 00:00:00 2001 From: yanghesong Date: Sun, 9 Jan 2022 09:19:31 +0800 Subject: [PATCH 2/2] Remove runtime in validate Validate is useless as dockershim is removed Signed-off-by: yanghesong --- pkg/security/apparmor/validate.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/security/apparmor/validate.go b/pkg/security/apparmor/validate.go index fe52b5f9a75..34a0b1ee368 100644 --- a/pkg/security/apparmor/validate.go +++ b/pkg/security/apparmor/validate.go @@ -1,4 +1,4 @@ -/*/* +/* Copyright 2016 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License");