Update kubernetes version to the PR#52395 and support unconfined apparmor
#322
Conversation
Signed-off-by: Yanqiang Miao <[email protected]>
mikebrow
left a comment
mikebrow
left a comment
There was a problem hiding this comment.
You need to add a check for && apparmorProf != unconfinedProfile here:
pkg/server/container_create_test.go
Outdated
| "should not return error if apparmor is unconfined when apparmor is not supported": { | ||
| profile: unconfinedProfile, | ||
| disable: true, | ||
| expectErr: true, |
There was a problem hiding this comment.
The text is correct but the expectErr should be false here..
| case runtimeDefault: | ||
| // TODO (mikebrow): delete created apparmor default profile | ||
| return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil | ||
| // TODO(random-liu): Should support "unconfined" after kubernetes#52395 lands. |
There was a problem hiding this comment.
unconfined means not applying any profile.
Please reference the implementation in seccomp, and do similar thing.
pkg/server/container_create_test.go
Outdated
| disable: true, | ||
| expectErr: true, | ||
| }, | ||
| "should set default apparmor when apparmor is unconfined": { |
pkg/server/container_create_test.go
Outdated
| "should not return error if apparmor is unconfined when apparmor is not supported": { | ||
| profile: unconfinedProfile, | ||
| disable: true, | ||
| expectErr: true, |
|
@miaoyq Can you also update corresponding CRI validation test in another PR? Thanks! |
|
@Random-Liu @mikebrow Thanks for review, I have not fully understand the meaning of unconfined. |
@Random-Liu OK |
Signed-off-by: Yanqiang Miao <[email protected]>
|
LGTM /cc @mikebrow |
@Random-Liu You have finished this in #329 |
4 participants
Fixes #314
/cc @Random-Liu
Signed-off-by: Yanqiang Miao [email protected]