Support unconfined apparmor

Signed-off-by: Yanqiang Miao <[email protected]>

Author: Yanqiang Miao

pkg/server/container_create.go

@@ -793,8 +793,7 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
 	case runtimeDefault:
 		// TODO (mikebrow): delete created apparmor default profile
 		return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
-	// TODO(random-liu): Should support "unconfined" after kubernetes#52395 lands.
-	case "":
+	case "", unconfinedProfile:
 		// Based on kubernetes#51746, default apparmor profile should be applied
 		// for non-privileged container when apparmor is not specified.
 		if privileged {

pkg/server/container_create_test.go

@@ -805,6 +805,19 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
 			profile:    "",
 			privileged: true,
 		},
+		"should not return error if apparmor is unconfined when apparmor is not supported": {
+			profile:   unconfinedProfile,
+			disable:   true,
+			expectErr: true,
+		},
+		"should set default apparmor when apparmor is unconfined": {
+			profile:  unconfinedProfile,
+			specOpts: apparmor.WithDefaultProfile(appArmorDefaultProfileName),
+		},
+		"should not apparmor when apparmor is unconfined and privileged is true": {
+			profile:    unconfinedProfile,
+			privileged: true,
+		},
 		"should set default apparmor when apparmor is runtime/default": {
 			profile:  runtimeDefault,
 			specOpts: apparmor.WithDefaultProfile(appArmorDefaultProfileName),