github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2026-01-05 07:27:21 +00:00
Code Issues Projects Releases Wiki Activity

Remove apparmor dependency on pkg/kubelet/lifecycle

Browse Source
This commit is contained in:
Tim St. Clair
2016-08-16 15:44:50 -07:00
parent 413677110b
commit f94df59791
4 changed files with 57 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
pkg/security/apparmor/validate.go
View File

@@ -26,7 +26,6 @@ import (
"strings"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/kubelet/lifecycle"
"k8s.io/kubernetes/pkg/util"
)
@@ -34,11 +33,12 @@ import (
// Set to true if the wrong build tags are set (see validate_disabled.go).
var isDisabledBuild bool
const (
rejectReason = "AppArmor"
)
// Interface for validating that a pod with with an AppArmor profile can be run by a Node.
type Validator interface {
Validate(pod *api.Pod) error
}
func NewValidator(runtime string) lifecycle.PodAdmitHandler {
func NewValidator(runtime string) Validator {
if err := validateHost(runtime); err != nil {
return &validator{validateHostErr: err}
}
@@ -58,21 +58,7 @@ type validator struct {
appArmorFS string
}
// TODO(timstclair): Refactor the PodAdmitInterface to return a (Admit, Reason Message) rather than
// the PodAdmitResult struct so that the interface can be implemented without importing lifecycle.
func (v *validator) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
err := v.validate(attrs.Pod)
if err == nil {
return lifecycle.PodAdmitResult{Admit: true}
}
return lifecycle.PodAdmitResult{
Admit: false,
Reason: rejectReason,
Message: fmt.Sprintf("Cannot enforce AppArmor: %v", err),
}
}
func (v *validator) validate(pod *api.Pod) error {
func (v *validator) Validate(pod *api.Pod) error {
if !isRequired(pod) {
return nil
}
@@ -122,18 +108,27 @@ func validateHost(runtime string) error {
// Verify that the profile is valid and loaded.
func validateProfile(profile string, loadedProfiles map[string]bool) error {
if err := ValidateProfileFormat(profile); err != nil {
return err
}
if strings.HasPrefix(profile, ProfileNamePrefix) {
profileName := strings.TrimPrefix(profile, ProfileNamePrefix)
if !loadedProfiles[profileName] {
return fmt.Errorf("profile %q is not loaded", profileName)
}
}
return nil
}
func ValidateProfileFormat(profile string) error {
if profile == "" || profile == ProfileRuntimeDefault {
return nil
}
if !strings.HasPrefix(profile, ProfileNamePrefix) {
return fmt.Errorf("invalid AppArmor profile name: %q", profile)
}
profileName := strings.TrimPrefix(profile, ProfileNamePrefix)
if !loadedProfiles[profileName] {
return fmt.Errorf("profile %q is not loaded", profileName)
}
return nil
}