From 44159dfc3230c687229258496ffbe4f7889d5b03 Mon Sep 17 00:00:00 2001 From: Sergey Kanzhelev Date: Tue, 14 Mar 2023 18:35:01 +0000 Subject: [PATCH] AppArmor no reevaluation of host is needed --- pkg/security/apparmor/validate.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/security/apparmor/validate.go b/pkg/security/apparmor/validate.go index 35d9a337f09..23b637e535e 100644 --- a/pkg/security/apparmor/validate.go +++ b/pkg/security/apparmor/validate.go @@ -81,11 +81,14 @@ func (v *validator) Validate(pod *v1.Pod) error { return retErr } +// ValidateHost verifies that the host and runtime is capable of enforcing AppArmor profiles. +// Note, this is intentionally only check the host at kubelet startup and never re-evaluates the host +// as the expectation is that the kubelet restart will be needed to enable or disable AppArmor support. func (v *validator) ValidateHost() error { return v.validateHostErr } -// Verify that the host and runtime is capable of enforcing AppArmor profiles. +// validateHost verifies that the host and runtime is capable of enforcing AppArmor profiles. func validateHost() error { // Check feature-gates if !utilfeature.DefaultFeatureGate.Enabled(features.AppArmor) {