Skip to content

Commit

Permalink
LinuxContainerSecurityContext field apparmor_profile has been depreca…
Browse files Browse the repository at this point in the history
…ted in favor of the newer structured apparmor field.

Introduce new tests for new field Apparmor alongside the old ApparmorProfile

Signed-off-by: roman-kiselenko <roman.kiselenko.dev@gmail.com>
  • Loading branch information
roman-kiselenko committed Apr 22, 2024
1 parent 5c770d7 commit cd70a05
Showing 1 changed file with 34 additions and 7 deletions.
41 changes: 34 additions & 7 deletions pkg/validate/apparmor_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,37 +82,64 @@ var _ = framework.KubeDescribe("AppArmor", func() {
})

It("should fail with an unloaded profile", func() {
profile := apparmorProfileNamePrefix + "non-existent-profile"
profile := &runtimeapi.LinuxContainerSecurityContext{
ApparmorProfile: apparmorProfileNamePrefix + "non-existent-profile",
}
containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, false)
Expect(containerID).To(BeEmpty())
})

It("should enforce a profile blocking writes", func() {
profile := apparmorProfileNamePrefix + "cri-validate-apparmor-test-deny-write"
profile := &runtimeapi.LinuxContainerSecurityContext{
ApparmorProfile: apparmorProfileNamePrefix + "cri-validate-apparmor-test-deny-write",
}
containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true)
checkContainerApparmor(rc, containerID, false)
})

It("should enforce a permissive profile", func() {
profile := apparmorProfileNamePrefix + "cri-validate-apparmor-test-audit-write"
profile := &runtimeapi.LinuxContainerSecurityContext{
ApparmorProfile: apparmorProfileNamePrefix + "cri-validate-apparmor-test-audit-write",
}
containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true)
checkContainerApparmor(rc, containerID, true)
})

It("should work with another field", func() {
profile := &runtimeapi.LinuxContainerSecurityContext{
Apparmor: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Localhost,
LocalhostRef: apparmorProfileNamePrefix + "cri-validate-apparmor-test-deny-write",
},
}
containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true)
Expect(containerID).To(BeEmpty())
})

It("should work with different fields", func() {
profile := &runtimeapi.LinuxContainerSecurityContext{
ApparmorProfile: apparmorProfileNamePrefix + "non-existent-profile",
Apparmor: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Localhost,
LocalhostRef: apparmorProfileNamePrefix + "cri-validate-apparmor-test-deny-write",
},
}
containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true)
Expect(containerID).To(BeEmpty())
})
})
}
})

func createContainerWithAppArmor(rc internalapi.RuntimeService, ic internalapi.ImageManagerService, sandboxID string, sandboxConfig *runtimeapi.PodSandboxConfig, profile string, shouldSucceed bool) string {
func createContainerWithAppArmor(rc internalapi.RuntimeService, ic internalapi.ImageManagerService, sandboxID string, sandboxConfig *runtimeapi.PodSandboxConfig, profile *runtimeapi.LinuxContainerSecurityContext, shouldSucceed bool) string {
By("create a container with apparmor")
containerName := "apparmor-test-" + framework.NewUUID()
containerConfig := &runtimeapi.ContainerConfig{
Metadata: framework.BuildContainerMetadata(containerName, framework.DefaultAttempt),
Image: &runtimeapi.ImageSpec{Image: framework.TestContext.TestImageList.DefaultTestContainerImage},
Command: []string{"touch", "/tmp/foo"},
Linux: &runtimeapi.LinuxContainerConfig{
SecurityContext: &runtimeapi.LinuxContainerSecurityContext{
ApparmorProfile: profile,
},
SecurityContext: profile,
},
}

Expand Down

0 comments on commit cd70a05

Please sign in to comment.