NotificationsYou must be signed in to change notification settings
Fork41k
Star116k

Commit963a9ac

authored

Merge pull request#131989 from tallclair/apparmor-cleanup

Apparmor cleanup

2 parentsabbee01 +5f82919 commit963a9acCopy full SHA for 963a9ac

File tree

6 files changed

+70

-248

lines changed

pkg
- api/pod
- registry/core/pod
  - strategy.go
  - strategy_test.go

6 files changed

+70

-248

lines changed

`‎pkg/api/pod/util.go`

Lines changed: 26 additions & 29 deletions

Original file line number	Diff line number	Diff line change
`@@ -1232,35 +1232,6 @@ func procMountInUse(podSpec *api.PodSpec) bool {`
`1232`	`1232`	`returninUse`
`1233`	`1233`	`}`
`1234`	`1234`
`1235`		`-// appArmorAnnotationsInUse returns true if the pod has apparmor annotations`
`1236`		`-funcappArmorAnnotationsInUse(podAnnotationsmap[string]string)bool {`
`1237`		`-fork:=rangepodAnnotations {`
`1238`		`-ifstrings.HasPrefix(k,api.DeprecatedAppArmorAnnotationKeyPrefix) {`
`1239`		`-returntrue`
`1240`		`-}`
`1241`		`-}`
`1242`		`-returnfalse`
`1243`		`-}`
`1244`		`-`
`1245`		`-// appArmorFieldsInUse returns true if the pod has apparmor fields set`
`1246`		`-funcappArmorFieldsInUse(podSpec*api.PodSpec)bool {`
`1247`		`-ifpodSpec==nil {`
`1248`		`-returnfalse`
`1249`		`-}`
`1250`		`-ifpodSpec.SecurityContext!=nil&&podSpec.SecurityContext.AppArmorProfile!=nil {`
`1251`		`-returntrue`
`1252`		`-}`
`1253`		`-hasAppArmorContainer:=false`
`1254`		`-VisitContainers(podSpec,AllContainers,func(c*api.Container,_ContainerType)bool {`
`1255`		`-ifc.SecurityContext!=nil&&c.SecurityContext.AppArmorProfile!=nil {`
`1256`		`-hasAppArmorContainer=true`
`1257`		`-returnfalse`
`1258`		`-}`
`1259`		`-returntrue`
`1260`		`-})`
`1261`		`-returnhasAppArmorContainer`
`1262`		`-}`
`1263`		`-`
`1264`	`1235`	`// restartableInitContainersInUse returns true if the pod spec is non-nil and`
`1265`	`1236`	`// it has any init container with ContainerRestartPolicyAlways.`
`1266`	`1237`	`funcrestartableInitContainersInUse(podSpec*api.PodSpec)bool {`
`@@ -1561,3 +1532,29 @@ func HasAPIObjectReference(pod *api.Pod) (bool, string, error) {`
`1561`	`1532`
`1562`	`1533`	`returnfalse,"",nil`
`1563`	`1534`	`}`
	`1535`	`+`
	`1536`	`+// ApparmorFieldForAnnotation takes a pod annotation and returns the converted`
	`1537`	`+// apparmor profile field.`
	`1538`	`+funcApparmorFieldForAnnotation(annotationstring)*api.AppArmorProfile {`
	`1539`	`+ifannotation==api.DeprecatedAppArmorAnnotationValueUnconfined {`
	`1540`	`+return&api.AppArmorProfile{Type:api.AppArmorProfileTypeUnconfined}`
	`1541`	`+}`
	`1542`	`+`
	`1543`	`+ifannotation==api.DeprecatedAppArmorAnnotationValueRuntimeDefault {`
	`1544`	`+return&api.AppArmorProfile{Type:api.AppArmorProfileTypeRuntimeDefault}`
	`1545`	`+}`
	`1546`	`+`
	`1547`	`+ifstrings.HasPrefix(annotation,api.DeprecatedAppArmorAnnotationValueLocalhostPrefix) {`
	`1548`	`+localhostProfile:=strings.TrimPrefix(annotation,api.DeprecatedAppArmorAnnotationValueLocalhostPrefix)`
	`1549`	`+iflocalhostProfile!="" {`
	`1550`	`+return&api.AppArmorProfile{`
	`1551`	`+Type:api.AppArmorProfileTypeLocalhost,`
	`1552`	`+LocalhostProfile:&localhostProfile,`
	`1553`	`+}`
	`1554`	`+}`
	`1555`	`+}`
	`1556`	`+`
	`1557`	`+// we can only reach this code path if the localhostProfile name has a zero`
	`1558`	`+// length or if the annotation has an unrecognized value`
	`1559`	`+returnnil`
	`1560`	`+}`

`‎pkg/api/pod/util_test.go`

Lines changed: 0 additions & 99 deletions

Original file line number	Diff line number	Diff line change
`@@ -25,10 +25,8 @@ import (`
`25`	`25`
`26`	`26`	`"github.com/google/go-cmp/cmp"`
`27`	`27`	`"github.com/stretchr/testify/assert"`
`28`		`-"github.com/stretchr/testify/require"`
`29`	`28`	`"k8s.io/component-base/featuregate"`
`30`	`29`
`31`		`-v1"k8s.io/api/core/v1"`
`32`	`30`	`"k8s.io/apimachinery/pkg/api/resource"`
`33`	`31`	`metav1"k8s.io/apimachinery/pkg/apis/meta/v1"`
`34`	`32`	`"k8s.io/apimachinery/pkg/util/sets"`
`@@ -849,103 +847,6 @@ func TestDropProcMount(t *testing.T) {`
`849`	`847`	`}`
`850`	`848`	`}`
`851`	`849`
`852`		`-funcTestDropAppArmor(t*testing.T) {`
`853`		`-tests:= []struct {`
`854`		`-descriptionstring`
`855`		`-hasAnnotationsbool`
`856`		`-hasFieldsbool`
`857`		`-pod api.Pod`
`858`		`-}{{`
`859`		`-description:"with AppArmor Annotations",`
`860`		`-hasAnnotations:true,`
`861`		`-pod: api.Pod{`
`862`		`-ObjectMeta: metav1.ObjectMeta{Annotations:map[string]string{"a":"1",v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+"foo":"default"}},`
`863`		`-Spec: api.PodSpec{},`
`864`		`-},`
`865`		`-}, {`
`866`		`-description:"with AppArmor Annotations & fields",`
`867`		`-hasAnnotations:true,`
`868`		`-hasFields:true,`
`869`		`-pod: api.Pod{`
`870`		`-ObjectMeta: metav1.ObjectMeta{Annotations:map[string]string{"a":"1",v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+"foo":"default"}},`
`871`		`-Spec: api.PodSpec{`
`872`		`-SecurityContext:&api.PodSecurityContext{`
`873`		`-AppArmorProfile:&api.AppArmorProfile{`
`874`		`-Type:api.AppArmorProfileTypeRuntimeDefault,`
`875`		`-},`
`876`		`-},`
`877`		`-},`
`878`		`-},`
`879`		`-}, {`
`880`		`-description:"with pod AppArmor profile",`
`881`		`-hasFields:true,`
`882`		`-pod: api.Pod{`
`883`		`-ObjectMeta: metav1.ObjectMeta{Annotations:map[string]string{"a":"1"}},`
`884`		`-Spec: api.PodSpec{`
`885`		`-SecurityContext:&api.PodSecurityContext{`
`886`		`-AppArmorProfile:&api.AppArmorProfile{`
`887`		`-Type:api.AppArmorProfileTypeRuntimeDefault,`
`888`		`-},`
`889`		`-},`
`890`		`-},`
`891`		`-},`
`892`		`-}, {`
`893`		`-description:"with container AppArmor profile",`
`894`		`-hasFields:true,`
`895`		`-pod: api.Pod{`
`896`		`-ObjectMeta: metav1.ObjectMeta{Annotations:map[string]string{"a":"1"}},`
`897`		`-Spec: api.PodSpec{`
`898`		`-Containers: []api.Container{{`
`899`		`-SecurityContext:&api.SecurityContext{`
`900`		`-AppArmorProfile:&api.AppArmorProfile{`
`901`		`-Type:api.AppArmorProfileTypeRuntimeDefault,`
`902`		`-},`
`903`		`-},`
`904`		`-}},`
`905`		`-},`
`906`		`-},`
`907`		`-}, {`
`908`		`-description:"without AppArmor",`
`909`		`-pod: api.Pod{`
`910`		`-ObjectMeta: metav1.ObjectMeta{Annotations:map[string]string{"a":"1"}},`
`911`		`-Spec: api.PodSpec{},`
`912`		`-},`
`913`		`-}}`
`914`		`-`
`915`		`-for_,test:=rangetests {`
`916`		`-`
`917`		`-t.Run(fmt.Sprintf("%v",test.description),func(t*testing.T) {`
`918`		`-newPod:=test.pod.DeepCopy()`
`919`		`-`
`920`		`-ifhasAnnotations:=appArmorAnnotationsInUse(newPod.Annotations);hasAnnotations!=test.hasAnnotations {`
`921`		`-t.Errorf("appArmorAnnotationsInUse does not match expectation: %t != %t",hasAnnotations,test.hasAnnotations)`
`922`		`-}`
`923`		`-ifhasFields:=appArmorFieldsInUse(&newPod.Spec);hasFields!=test.hasFields {`
`924`		`-t.Errorf("appArmorFieldsInUse does not match expectation: %t != %t",hasFields,test.hasFields)`
`925`		`-}`
`926`		`-`
`927`		`-DropDisabledPodFields(newPod,newPod)`
`928`		`-require.Equal(t,&test.pod,newPod,"unchanged pod should never be mutated")`
`929`		`-`
`930`		`-DropDisabledPodFields(newPod,nil)`
`931`		`-assert.Equal(t,&test.pod,newPod,"pod should not be mutated when both feature gates are enabled")`
`932`		`-`
`933`		`-expectAnnotations:=test.hasAnnotations`
`934`		`-assert.Equal(t,expectAnnotations,appArmorAnnotationsInUse(newPod.Annotations),"AppArmor annotations expectation")`
`935`		`-ifexpectAnnotations==test.hasAnnotations {`
`936`		`-assert.Equal(t,test.pod.Annotations,newPod.Annotations,"annotations should not be mutated")`
`937`		`-}`
`938`		`-`
`939`		`-expectFields:=test.hasFields`
`940`		`-assert.Equal(t,expectFields,appArmorFieldsInUse(&newPod.Spec),"AppArmor fields expectation")`
`941`		`-ifexpectFields==test.hasFields {`
`942`		`-assert.Equal(t,&test.pod.Spec,&newPod.Spec,"PodSpec should not be mutated")`
`943`		`-}`
`944`		`-})`
`945`		`-`
`946`		`-}`
`947`		`-}`
`948`		`-`
`949`	`850`	`funcTestDropDynamicResourceAllocation(t*testing.T) {`
`950`	`851`	`resourceClaimName:="external-claim"`
`951`	`852`

`‎pkg/api/pod/warnings.go`

Lines changed: 11 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@ import (`
`22`	`22`	`"os"`
`23`	`23`	`"strings"`
`24`	`24`
	`25`	`+apiequality"k8s.io/apimachinery/pkg/api/equality"`
`25`	`26`	`metav1"k8s.io/apimachinery/pkg/apis/meta/v1"`
`26`	`27`	`"k8s.io/apimachinery/pkg/util/sets"`
`27`	`28`	`"k8s.io/apimachinery/pkg/util/validation"`
`@@ -224,7 +225,10 @@ func warningsForPodSpecAndMeta(fieldPath field.Path, podSpec api.PodSpec, meta`
`224`	`225`	warnings=append(warnings,fmt.Sprintf(`%s: non-functional in v1.27+; use the "seccompProfile" field instead`,fieldPath.Child("metadata","annotations").Key(api.SeccompPodAnnotationKey)))
`225`	`226`	`}`
`226`	`227`	`}`
`227`		`-hasPodAppArmorProfile:=podSpec.SecurityContext!=nil&&podSpec.SecurityContext.AppArmorProfile!=nil`
	`228`	`+varpodAppArmorProfile*api.AppArmorProfile`
	`229`	`+ifpodSpec.SecurityContext!=nil {`
	`230`	`+podAppArmorProfile=podSpec.SecurityContext.AppArmorProfile`
	`231`	`+}`
`228`	`232`
`229`	`233`	`pods.VisitContainersWithPath(podSpec,fieldPath.Child("spec"),func(capi.Container,pfield.Path)bool {`
`230`	`234`	`// use of container seccomp annotation without accompanying field`
`@@ -237,11 +241,14 @@ func warningsForPodSpecAndMeta(fieldPath field.Path, podSpec api.PodSpec, meta`
`237`	`241`	`// use of container AppArmor annotation without accompanying field`
`238`	`242`
`239`	`243`	`isPodTemplate:=fieldPath!=nil// Pod warnings are emitted through applyAppArmorVersionSkew instead.`
`240`		`-hasAppArmorField:=hasPodAppArmorProfile\|\| (c.SecurityContext!=nil&&c.SecurityContext.AppArmorProfile!=nil)`
	`244`	`+hasAppArmorField:=c.SecurityContext!=nil&&c.SecurityContext.AppArmorProfile!=nil`
`241`	`245`	`ifisPodTemplate&&!hasAppArmorField {`
`242`	`246`	`key:=api.DeprecatedAppArmorAnnotationKeyPrefix+c.Name`
`243`		`-if_,exists:=meta.Annotations[key];exists {`
`244`		-warnings=append(warnings,fmt.Sprintf(`%s: deprecated since v1.30; use the "appArmorProfile" field instead`,fieldPath.Child("metadata","annotations").Key(key)))
	`247`	`+ifannotation,exists:=meta.Annotations[key];exists {`
	`248`	`+// Only warn if the annotation doesn't match the pod profile.`
	`249`	`+ifpodAppArmorProfile==nil\|\|!apiequality.Semantic.DeepEqual(podAppArmorProfile,ApparmorFieldForAnnotation(annotation)) {`
	`250`	+warnings=append(warnings,fmt.Sprintf(`%s: deprecated since v1.30; use the "appArmorProfile" field instead`,fieldPath.Child("metadata","annotations").Key(key)))
	`251`	`+}`
`245`	`252`	`}`
`246`	`253`	`}`
`247`	`254`

`‎pkg/api/pod/warnings_test.go`

Lines changed: 21 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1852,7 +1852,7 @@ func TestTemplateOnlyWarnings(t *testing.T) {`
`1852`	`1852`	`expected []string`
`1853`	`1853`	`}{`
`1854`	`1854`	`{`
`1855`		`-name:"annotations",`
	`1855`	`+name:"AppArmorannotations",`
`1856`	`1856`	`template:&api.PodTemplateSpec{`
`1857`	`1857`	`ObjectMeta: metav1.ObjectMeta{Annotations:map[string]string{`
`1858`	`1858`	`container.apparmor.security.beta.kubernetes.io/foo`:`unconfined`,
`@@ -1864,7 +1864,7 @@ func TestTemplateOnlyWarnings(t *testing.T) {`
`1864`	`1864`	`},`
`1865`	`1865`	`},`
`1866`	`1866`	`{`
`1867`		`-name:"AppArmor pod field",`
	`1867`	`+name:"AppArmormatchingpod field",`
`1868`	`1868`	`template:&api.PodTemplateSpec{`
`1869`	`1869`	`ObjectMeta: metav1.ObjectMeta{Annotations:map[string]string{`
`1870`	`1870`	`container.apparmor.security.beta.kubernetes.io/foo`:`unconfined`,
`@@ -1880,6 +1880,25 @@ func TestTemplateOnlyWarnings(t *testing.T) {`
`1880`	`1880`	`},`
`1881`	`1881`	`expected: []string{},`
`1882`	`1882`	`},`
	`1883`	`+{`
	`1884`	`+name:"AppArmor different pod field",`
	`1885`	`+template:&api.PodTemplateSpec{`
	`1886`	`+ObjectMeta: metav1.ObjectMeta{Annotations:map[string]string{`
	`1887`	+`container.apparmor.security.beta.kubernetes.io/foo`:`localhost/foo`,
	`1888`	`+}},`
	`1889`	`+Spec: api.PodSpec{`
	`1890`	`+SecurityContext:&api.PodSecurityContext{`
	`1891`	`+AppArmorProfile:&api.AppArmorProfile{Type:api.AppArmorProfileTypeLocalhost,LocalhostProfile:ptr.To("bar")},`
	`1892`	`+},`
	`1893`	`+Containers: []api.Container{{`
	`1894`	`+Name:"foo",`
	`1895`	`+}},`
	`1896`	`+},`
	`1897`	`+},`
	`1898`	`+expected: []string{`
	`1899`	+`template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/foo]: deprecated since v1.30; use the "appArmorProfile" field instead`,
	`1900`	`+},`
	`1901`	`+},`
`1883`	`1902`	`{`
`1884`	`1903`	`name:"AppArmor container field",`
`1885`	`1904`	`template:&api.PodTemplateSpec{`

`‎pkg/registry/core/pod/strategy.go`

Lines changed: 3 additions & 68 deletions

Original file line number	Diff line number	Diff line change
`@@ -958,23 +958,9 @@ func applyAppArmorVersionSkew(ctx context.Context, pod *api.Pod) {`
`958`	`958`	`containerProfile=ctr.SecurityContext.AppArmorProfile`
`959`	`959`	`}`
`960`	`960`
`961`		`-// sync field and annotation`
`962`		`-if!hasAnnotation {`
`963`		`-newAnnotation:=""`
`964`		`-ifcontainerProfile!=nil {`
`965`		`-newAnnotation=appArmorAnnotationForField(containerProfile)`
`966`		`-}elseifpodProfile!=nil {`
`967`		`-newAnnotation=appArmorAnnotationForField(podProfile)`
`968`		`-}`
`969`		`-`
`970`		`-ifnewAnnotation!="" {`
`971`		`-ifpod.Annotations==nil {`
`972`		`-pod.Annotations=map[string]string{}`
`973`		`-}`
`974`		`-pod.Annotations[key]=newAnnotation`
`975`		`-}`
`976`		`-}elseifcontainerProfile==nil {`
`977`		`-newField:=apparmorFieldForAnnotation(annotation)`
	`961`	`+// Sync deprecated AppArmor annotations to fields`
	`962`	`+ifhasAnnotation&&containerProfile==nil {`
	`963`	`+newField:=podutil.ApparmorFieldForAnnotation(annotation)`
`978`	`964`	`iferrs:=corevalidation.ValidateAppArmorProfileField(newField,&field.Path{});len(errs)>0 {`
`979`	`965`	`// Skip copying invalid value.`
`980`	`966`	`newField=nil`
`@@ -1006,57 +992,6 @@ func applyAppArmorVersionSkew(ctx context.Context, pod *api.Pod) {`
`1006`	`992`	`})`
`1007`	`993`	`}`
`1008`	`994`
`1009`		`-// appArmorFieldForAnnotation takes a pod apparmor profile field and returns the`
`1010`		`-// converted annotation value`
`1011`		`-funcappArmorAnnotationForField(field*api.AppArmorProfile)string {`
`1012`		`-// If only apparmor fields are specified, add the corresponding annotations.`
`1013`		`-// This ensures that the fields are enforced even if the node version`
`1014`		`-// trails the API version`
`1015`		`-switchfield.Type {`
`1016`		`-caseapi.AppArmorProfileTypeUnconfined:`
`1017`		`-returnapi.DeprecatedAppArmorAnnotationValueUnconfined`
`1018`		`-`
`1019`		`-caseapi.AppArmorProfileTypeRuntimeDefault:`
`1020`		`-returnapi.DeprecatedAppArmorAnnotationValueRuntimeDefault`
`1021`		`-`
`1022`		`-caseapi.AppArmorProfileTypeLocalhost:`
`1023`		`-iffield.LocalhostProfile!=nil {`
`1024`		`-returnapi.DeprecatedAppArmorAnnotationValueLocalhostPrefix+*field.LocalhostProfile`
`1025`		`-}`
`1026`		`-}`
`1027`		`-`
`1028`		`-// we can only reach this code path if the LocalhostProfile is nil but the`
`1029`		`-// provided field type is AppArmorProfileTypeLocalhost or if an unrecognized`
`1030`		`-// type is specified`
`1031`		`-return""`
`1032`		`-}`
`1033`		`-`
`1034`		`-// apparmorFieldForAnnotation takes a pod annotation and returns the converted`
`1035`		`-// apparmor profile field.`
`1036`		`-funcapparmorFieldForAnnotation(annotationstring)*api.AppArmorProfile {`
`1037`		`-ifannotation==api.DeprecatedAppArmorAnnotationValueUnconfined {`
`1038`		`-return&api.AppArmorProfile{Type:api.AppArmorProfileTypeUnconfined}`
`1039`		`-}`
`1040`		`-`
`1041`		`-ifannotation==api.DeprecatedAppArmorAnnotationValueRuntimeDefault {`
`1042`		`-return&api.AppArmorProfile{Type:api.AppArmorProfileTypeRuntimeDefault}`
`1043`		`-}`
`1044`		`-`
`1045`		`-ifstrings.HasPrefix(annotation,api.DeprecatedAppArmorAnnotationValueLocalhostPrefix) {`
`1046`		`-localhostProfile:=strings.TrimPrefix(annotation,api.DeprecatedAppArmorAnnotationValueLocalhostPrefix)`
`1047`		`-iflocalhostProfile!="" {`
`1048`		`-return&api.AppArmorProfile{`
`1049`		`-Type:api.AppArmorProfileTypeLocalhost,`
`1050`		`-LocalhostProfile:&localhostProfile,`
`1051`		`-}`
`1052`		`-}`
`1053`		`-}`
`1054`		`-`
`1055`		`-// we can only reach this code path if the localhostProfile name has a zero`
`1056`		`-// length or if the annotation has an unrecognized value`
`1057`		`-returnnil`
`1058`		`-}`
`1059`		`-`
`1060`	`995`	`// updatePodGeneration bumps metadata.generation if needed for any updates`
`1061`	`996`	`// to the podspec.`
`1062`	`997`	`funcupdatePodGeneration(newPod,oldPod*api.Pod) {`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit963a9ac

File tree

6 files changed

6 files changed

`‎pkg/api/pod/util.go`

`‎pkg/api/pod/util_test.go`

`‎pkg/api/pod/warnings.go`

`‎pkg/api/pod/warnings_test.go`

`‎pkg/registry/core/pod/strategy.go`

0 commit comments