Merge pull request #97968 from saschagrunert/apparmor-host-check

Remove check for apparmor_parser in AppArmor host validation
2025-07-22 11:21:47 +00:00 · 2021-04-13 01:58:50 -07:00 · 2021-04-13 01:58:50 -07:00 · dd72c4534c
commit dd72c4534c
parent 1fa101d1a4 0d22571519
2 changed files with 5 additions and 19 deletions
--- a/pkg/security/apparmor/validate.go
+++ b/pkg/security/apparmor/validate.go
@ -20,11 +20,11 @@ import (
 	"bufio"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path"
 	"strings"

+	"github.com/opencontainers/runc/libcontainer/apparmor"
 	v1 "k8s.io/api/core/v1"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
@ -107,7 +107,7 @@ func validateHost(runtime string) error {
 	}

 	// Check kernel support.
-	if !IsAppArmorEnabled() {
+	if !apparmor.IsEnabled() {
 		return errors.New("AppArmor is not enabled on the host")
 	}

@ -212,17 +212,3 @@ func getAppArmorFS() (string, error) {

 	return "", errors.New("securityfs not found")
 }
-
-// IsAppArmorEnabled returns true if apparmor is enabled for the host.
-// This function is forked from
-// https://github.com/opencontainers/runc/blob/1a81e9ab1f138c091fe5c86d0883f87716088527/libcontainer/apparmor/apparmor.go
-// to avoid the libapparmor dependency.
-func IsAppArmorEnabled() bool {
-	if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {
-		if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {
-			buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
-			return err == nil && len(buf) > 1 && buf[0] == 'Y'
-		}
-	}
-	return false
-}
--- a/test/e2e_node/apparmor_test.go
+++ b/test/e2e_node/apparmor_test.go
@ -27,7 +27,8 @@ import (
 	"strconv"
 	"strings"

-	"k8s.io/api/core/v1"
+	"github.com/opencontainers/runc/libcontainer/apparmor"
+	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
@ -37,7 +38,6 @@ import (
 	"k8s.io/client-go/tools/cache"
 	watchtools "k8s.io/client-go/tools/watch"
 	"k8s.io/klog/v2"
-	"k8s.io/kubernetes/pkg/security/apparmor"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"

@ -246,5 +246,5 @@ func isAppArmorEnabled() bool {
 	if strings.Contains(framework.TestContext.NodeName, "-ubuntu-") {
 		return true
 	}
-	return apparmor.IsAppArmorEnabled()
+	return apparmor.IsEnabled()
 }