Skip to content

Commit 2b1e724

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #1400 from roman-kiselenko/feature/migrate-apparmor-profile-field
Introduce new tests for new field Apparmor alongside the old ApparmorProfile
2 parents d01c53d + 6362c63 commit 2b1e724

File tree

1 file changed

+119
-11
lines changed

1 file changed

+119
-11
lines changed

Diff for: pkg/validate/apparmor_linux.go

+119-11
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,9 @@ profile cri-validate-apparmor-test-audit-write flags=(attach_disconnected) {
5353
`
5454
)
5555

56+
// The AppArmor profile to the CRI via the deprecated apparmor_profile field
57+
// in favor of the newer structured apparmor field.
58+
// CRI provides the AppArmor profile via both fields to maintain backwards compatibility.
5659
var _ = framework.KubeDescribe("AppArmor", func() {
5760
f := framework.NewDefaultCRIFramework()
5861

@@ -66,7 +69,7 @@ var _ = framework.KubeDescribe("AppArmor", func() {
6669
Expect(loadTestProfiles()).NotTo(HaveOccurred())
6770
})
6871

69-
Context("runtime should support apparmor", func() {
72+
Context("runtime should support depracated apparmor_profile field", func() {
7073
var sandboxID string
7174
var sandboxConfig *runtimeapi.PodSandboxConfig
7275

@@ -81,38 +84,143 @@ var _ = framework.KubeDescribe("AppArmor", func() {
8184
rc.RemovePodSandbox(context.TODO(), sandboxID)
8285
})
8386

84-
It("should fail with an unloaded profile", func() {
85-
profile := apparmorProfileNamePrefix + "non-existent-profile"
87+
It("should fail with an unloaded apparmor_profile", func() {
88+
profile := &runtimeapi.LinuxContainerSecurityContext{
89+
ApparmorProfile: apparmorProfileNamePrefix + "non-existent-profile",
90+
}
8691
containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, false)
8792
Expect(containerID).To(BeEmpty())
8893
})
8994

90-
It("should enforce a profile blocking writes", func() {
91-
profile := apparmorProfileNamePrefix + "cri-validate-apparmor-test-deny-write"
95+
It("should enforce a apparmor_profile blocking writes", func() {
96+
profile := &runtimeapi.LinuxContainerSecurityContext{
97+
ApparmorProfile: apparmorProfileNamePrefix + "cri-validate-apparmor-test-deny-write",
98+
}
9299
containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true)
93100
checkContainerApparmor(rc, containerID, false)
94101
})
95102

96-
It("should enforce a permissive profile", func() {
97-
profile := apparmorProfileNamePrefix + "cri-validate-apparmor-test-audit-write"
103+
It("should enforce a permissive depracated profile", func() {
104+
profile := &runtimeapi.LinuxContainerSecurityContext{
105+
ApparmorProfile: apparmorProfileNamePrefix + "cri-validate-apparmor-test-audit-write",
106+
}
107+
containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true)
108+
checkContainerApparmor(rc, containerID, true)
109+
})
110+
})
111+
112+
Context("runtime should support apparmor field", func() {
113+
var sandboxID string
114+
var sandboxConfig *runtimeapi.PodSandboxConfig
115+
116+
BeforeEach(func() {
117+
sandboxID, sandboxConfig = framework.CreatePodSandboxForContainer(rc)
118+
})
119+
120+
AfterEach(func() {
121+
By("stop PodSandbox")
122+
rc.StopPodSandbox(context.TODO(), sandboxID)
123+
By("delete PodSandbox")
124+
rc.RemovePodSandbox(context.TODO(), sandboxID)
125+
})
126+
127+
It("should fail with an unloaded apparmor_profile", func() {
128+
profile := &runtimeapi.LinuxContainerSecurityContext{
129+
Apparmor: &runtimeapi.SecurityProfile{
130+
ProfileType: runtimeapi.SecurityProfile_Localhost,
131+
LocalhostRef: apparmorProfileNamePrefix + "non-existent-profile",
132+
},
133+
}
134+
containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, false)
135+
Expect(containerID).To(BeEmpty())
136+
})
137+
138+
It("should enforce a apparmor_profile blocking writes", func() {
139+
profile := &runtimeapi.LinuxContainerSecurityContext{
140+
Apparmor: &runtimeapi.SecurityProfile{
141+
ProfileType: runtimeapi.SecurityProfile_Localhost,
142+
LocalhostRef: apparmorProfileNamePrefix + "cri-validate-apparmor-test-deny-write",
143+
},
144+
}
145+
containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true)
146+
checkContainerApparmor(rc, containerID, false)
147+
})
148+
149+
It("should enforce a permissive depracated profile", func() {
150+
profile := &runtimeapi.LinuxContainerSecurityContext{
151+
Apparmor: &runtimeapi.SecurityProfile{
152+
ProfileType: runtimeapi.SecurityProfile_Localhost,
153+
LocalhostRef: apparmorProfileNamePrefix + "cri-validate-apparmor-test-audit-write",
154+
},
155+
}
156+
containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true)
157+
checkContainerApparmor(rc, containerID, true)
158+
})
159+
})
160+
161+
Context("runtime should prefer new apparmor field", func() {
162+
var sandboxID string
163+
var sandboxConfig *runtimeapi.PodSandboxConfig
164+
165+
BeforeEach(func() {
166+
sandboxID, sandboxConfig = framework.CreatePodSandboxForContainer(rc)
167+
})
168+
169+
AfterEach(func() {
170+
By("stop PodSandbox")
171+
rc.StopPodSandbox(context.TODO(), sandboxID)
172+
By("delete PodSandbox")
173+
rc.RemovePodSandbox(context.TODO(), sandboxID)
174+
})
175+
176+
It("should fail with an unloaded apparmor_profile", func() {
177+
profile := &runtimeapi.LinuxContainerSecurityContext{
178+
ApparmorProfile: apparmorProfileNamePrefix + "non-existent-profile",
179+
Apparmor: &runtimeapi.SecurityProfile{
180+
ProfileType: runtimeapi.SecurityProfile_Localhost,
181+
LocalhostRef: apparmorProfileNamePrefix + "non-existent-profile",
182+
},
183+
}
184+
containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, false)
185+
Expect(containerID).To(BeEmpty())
186+
})
187+
188+
It("should enforce a apparmor_profile blocking writes", func() {
189+
profile := &runtimeapi.LinuxContainerSecurityContext{
190+
ApparmorProfile: apparmorProfileNamePrefix + "non-existent-profile",
191+
Apparmor: &runtimeapi.SecurityProfile{
192+
ProfileType: runtimeapi.SecurityProfile_Localhost,
193+
LocalhostRef: apparmorProfileNamePrefix + "cri-validate-apparmor-test-deny-write",
194+
},
195+
}
196+
containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true)
197+
checkContainerApparmor(rc, containerID, false)
198+
})
199+
200+
It("should work with apparmor profile", func() {
201+
profile := &runtimeapi.LinuxContainerSecurityContext{
202+
ApparmorProfile: apparmorProfileNamePrefix + "non-existent-profile",
203+
Apparmor: &runtimeapi.SecurityProfile{
204+
ProfileType: runtimeapi.SecurityProfile_Localhost,
205+
LocalhostRef: apparmorProfileNamePrefix + "cri-validate-apparmor-test-audit-write",
206+
},
207+
}
98208
containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true)
99209
checkContainerApparmor(rc, containerID, true)
100210
})
101211
})
102212
}
103213
})
104214

105-
func createContainerWithAppArmor(rc internalapi.RuntimeService, ic internalapi.ImageManagerService, sandboxID string, sandboxConfig *runtimeapi.PodSandboxConfig, profile string, shouldSucceed bool) string {
215+
func createContainerWithAppArmor(rc internalapi.RuntimeService, ic internalapi.ImageManagerService, sandboxID string, sandboxConfig *runtimeapi.PodSandboxConfig, profile *runtimeapi.LinuxContainerSecurityContext, shouldSucceed bool) string {
106216
By("create a container with apparmor")
107217
containerName := "apparmor-test-" + framework.NewUUID()
108218
containerConfig := &runtimeapi.ContainerConfig{
109219
Metadata: framework.BuildContainerMetadata(containerName, framework.DefaultAttempt),
110220
Image: &runtimeapi.ImageSpec{Image: framework.TestContext.TestImageList.DefaultTestContainerImage},
111221
Command: []string{"touch", "/tmp/foo"},
112222
Linux: &runtimeapi.LinuxContainerConfig{
113-
SecurityContext: &runtimeapi.LinuxContainerSecurityContext{
114-
ApparmorProfile: profile,
115-
},
223+
SecurityContext: profile,
116224
},
117225
}
118226

0 commit comments

Comments
 (0)