From cd70a051bd57952d630d2bacae0d4d349e6fdd60 Mon Sep 17 00:00:00 2001 From: roman-kiselenko Date: Mon, 15 Apr 2024 17:01:45 +0200 Subject: [PATCH] LinuxContainerSecurityContext field apparmor_profile has been deprecated in favor of the newer structured apparmor field. Introduce new tests for new field Apparmor alongside the old ApparmorProfile Signed-off-by: roman-kiselenko --- pkg/validate/apparmor_linux.go | 41 ++++++++++++++++++++++++++++------ 1 file changed, 34 insertions(+), 7 deletions(-) diff --git a/pkg/validate/apparmor_linux.go b/pkg/validate/apparmor_linux.go index e5144223af..3b0abfbd15 100644 --- a/pkg/validate/apparmor_linux.go +++ b/pkg/validate/apparmor_linux.go @@ -82,27 +82,56 @@ var _ = framework.KubeDescribe("AppArmor", func() { }) It("should fail with an unloaded profile", func() { - profile := apparmorProfileNamePrefix + "non-existent-profile" + profile := &runtimeapi.LinuxContainerSecurityContext{ + ApparmorProfile: apparmorProfileNamePrefix + "non-existent-profile", + } containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, false) Expect(containerID).To(BeEmpty()) }) It("should enforce a profile blocking writes", func() { - profile := apparmorProfileNamePrefix + "cri-validate-apparmor-test-deny-write" + profile := &runtimeapi.LinuxContainerSecurityContext{ + ApparmorProfile: apparmorProfileNamePrefix + "cri-validate-apparmor-test-deny-write", + } containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true) checkContainerApparmor(rc, containerID, false) }) It("should enforce a permissive profile", func() { - profile := apparmorProfileNamePrefix + "cri-validate-apparmor-test-audit-write" + profile := &runtimeapi.LinuxContainerSecurityContext{ + ApparmorProfile: apparmorProfileNamePrefix + "cri-validate-apparmor-test-audit-write", + } containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true) checkContainerApparmor(rc, containerID, true) }) + + It("should work with another field", func() { + profile := &runtimeapi.LinuxContainerSecurityContext{ + Apparmor: &runtimeapi.SecurityProfile{ + ProfileType: runtimeapi.SecurityProfile_Localhost, + LocalhostRef: apparmorProfileNamePrefix + "cri-validate-apparmor-test-deny-write", + }, + } + containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true) + Expect(containerID).To(BeEmpty()) + }) + + It("should work with different fields", func() { + profile := &runtimeapi.LinuxContainerSecurityContext{ + ApparmorProfile: apparmorProfileNamePrefix + "non-existent-profile", + Apparmor: &runtimeapi.SecurityProfile{ + ProfileType: runtimeapi.SecurityProfile_Localhost, + LocalhostRef: apparmorProfileNamePrefix + "cri-validate-apparmor-test-deny-write", + }, + } + containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true) + Expect(containerID).To(BeEmpty()) + }) }) } }) -func createContainerWithAppArmor(rc internalapi.RuntimeService, ic internalapi.ImageManagerService, sandboxID string, sandboxConfig *runtimeapi.PodSandboxConfig, profile string, shouldSucceed bool) string { +func createContainerWithAppArmor(rc internalapi.RuntimeService, ic internalapi.ImageManagerService, sandboxID string, sandboxConfig *runtimeapi.PodSandboxConfig, profile *runtimeapi.LinuxContainerSecurityContext, shouldSucceed bool) string { By("create a container with apparmor") containerName := "apparmor-test-" + framework.NewUUID() containerConfig := &runtimeapi.ContainerConfig{ @@ -110,9 +139,7 @@ func createContainerWithAppArmor(rc internalapi.RuntimeService, ic internalapi.I Image: &runtimeapi.ImageSpec{Image: framework.TestContext.TestImageList.DefaultTestContainerImage}, Command: []string{"touch", "/tmp/foo"}, Linux: &runtimeapi.LinuxContainerConfig{ - SecurityContext: &runtimeapi.LinuxContainerSecurityContext{ - ApparmorProfile: profile, - }, + SecurityContext: profile, }, }