diff options
Diffstat (limited to 'vendor/k8s.io/kubernetes/pkg/security')
| -rw-r--r-- | vendor/k8s.io/kubernetes/pkg/security/apparmor/helpers.go | 9 | ||||
| -rw-r--r-- | vendor/k8s.io/kubernetes/pkg/security/apparmor/validate.go | 13 |
2 files changed, 13 insertions, 9 deletions
diff --git a/vendor/k8s.io/kubernetes/pkg/security/apparmor/helpers.go b/vendor/k8s.io/kubernetes/pkg/security/apparmor/helpers.go index 4412d2a9a..5352f1332 100644 --- a/vendor/k8s.io/kubernetes/pkg/security/apparmor/helpers.go +++ b/vendor/k8s.io/kubernetes/pkg/security/apparmor/helpers.go @@ -19,7 +19,7 @@ package apparmor import ( "strings" - "k8s.io/kubernetes/pkg/api/v1" + "k8s.io/api/core/v1" ) // TODO: Move these values into the API package. @@ -35,13 +35,16 @@ const ( ProfileRuntimeDefault = "runtime/default" // The prefix for specifying profiles loaded on the node. ProfileNamePrefix = "localhost/" + + // Unconfined profile + ProfileNameUnconfined = "unconfined" ) // Checks whether app armor is required for pod to be run. func isRequired(pod *v1.Pod) bool { - for key := range pod.Annotations { + for key, value := range pod.Annotations { if strings.HasPrefix(key, ContainerAnnotationKeyPrefix) { - return true + return value != ProfileNameUnconfined } } return false diff --git a/vendor/k8s.io/kubernetes/pkg/security/apparmor/validate.go b/vendor/k8s.io/kubernetes/pkg/security/apparmor/validate.go index cf12df3c1..740698f20 100644 --- a/vendor/k8s.io/kubernetes/pkg/security/apparmor/validate.go +++ b/vendor/k8s.io/kubernetes/pkg/security/apparmor/validate.go @@ -25,10 +25,11 @@ import ( "path" "strings" + "k8s.io/api/core/v1" utilfeature "k8s.io/apiserver/pkg/util/feature" - "k8s.io/kubernetes/pkg/api/v1" "k8s.io/kubernetes/pkg/features" - "k8s.io/kubernetes/pkg/util" + kubetypes "k8s.io/kubernetes/pkg/kubelet/types" + utilfile "k8s.io/kubernetes/pkg/util/file" ) // Whether AppArmor should be disabled by default. @@ -111,8 +112,8 @@ func validateHost(runtime string) error { } // Check runtime support. Currently only Docker is supported. - if runtime != "docker" { - return fmt.Errorf("AppArmor is only enabled for 'docker' runtime. Found: %q.", runtime) + if runtime != kubetypes.DockerContainerRuntime && runtime != kubetypes.RemoteContainerRuntime { + return fmt.Errorf("AppArmor is only enabled for 'docker' and 'remote' runtimes. Found: %q.", runtime) } return nil @@ -135,7 +136,7 @@ func validateProfile(profile string, loadedProfiles map[string]bool) error { } func ValidateProfileFormat(profile string) error { - if profile == "" || profile == ProfileRuntimeDefault { + if profile == "" || profile == ProfileRuntimeDefault || profile == ProfileNameUnconfined { return nil } if !strings.HasPrefix(profile, ProfileNamePrefix) { @@ -194,7 +195,7 @@ func getAppArmorFS() (string, error) { } if fields[2] == "securityfs" { appArmorFS := path.Join(fields[1], "apparmor") - if ok, err := util.FileExists(appArmorFS); !ok { + if ok, err := utilfile.FileExists(appArmorFS); !ok { msg := fmt.Sprintf("path %s does not exist", appArmorFS) if err != nil { return "", fmt.Errorf("%s: %v", msg, err) |