mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
Forbid empty AppArmor localhost profile
This commit is contained in:
parent
30a21e9abd
commit
f780889d4c
@ -74,10 +74,19 @@ func (v *validator) Validate(pod *v1.Pod) error {
|
||||
|
||||
var retErr error
|
||||
podutil.VisitContainers(&pod.Spec, podutil.AllContainers, func(container *v1.Container, containerType podutil.ContainerType) bool {
|
||||
retErr = ValidateProfileFormat(GetProfileName(pod, container.Name))
|
||||
profile := GetProfileName(pod, container.Name)
|
||||
retErr = ValidateProfileFormat(profile)
|
||||
if retErr != nil {
|
||||
return false
|
||||
}
|
||||
// TODO(#64841): This would ideally be part of ValidateProfileFormat, but that is called for
|
||||
// API validation, and this is tightening validation.
|
||||
if strings.HasPrefix(profile, v1.AppArmorBetaProfileNamePrefix) {
|
||||
if strings.TrimSpace(strings.TrimPrefix(profile, v1.AppArmorBetaProfileNamePrefix)) == "" {
|
||||
retErr = fmt.Errorf("invalid empty AppArmor profile name: %q", profile)
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
})
|
||||
|
||||
|
@ -109,6 +109,8 @@ func TestValidateValidHost(t *testing.T) {
|
||||
{v1.AppArmorBetaProfileNamePrefix + "foo-container", true},
|
||||
{v1.AppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true},
|
||||
{"docker-default", false},
|
||||
{v1.AppArmorBetaProfileNamePrefix + "", false}, // Empty profile explicitly forbidden.
|
||||
{v1.AppArmorBetaProfileNamePrefix + " ", false},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
|
Loading…
Reference in New Issue
Block a user