containerd · Random-Liu · Oct 4, 2017 · Oct 3, 2017 · Oct 3, 2017 · Random-Liu
diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go
@@ -784,7 +784,7 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
 	if !apparmorEnabled {
 		// Should fail loudly if user try to specify apparmor profile
 		// but we don't support it.
-		if apparmorProf != "" {
+		if apparmorProf != "" && apparmorProf != unconfinedProfile {
 			return nil, fmt.Errorf("apparmor is not supported")
 		}
 		return nil, nil
@@ -793,7 +793,8 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
 	case runtimeDefault:
 		// TODO (mikebrow): delete created apparmor default profile
 		return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
-	// TODO(random-liu): Should support "unconfined" after kubernetes#52395 lands.
+	case unconfinedProfile:
+		return nil, nil
 	case "":
 		// Based on kubernetes#51746, default apparmor profile should be applied
 		// for non-privileged container when apparmor is not specified.

diff --git a/pkg/server/container_create_test.go b/pkg/server/container_create_test.go
@@ -805,6 +805,17 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
 			profile:    "",
 			privileged: true,
 		},
+		"should not return error if apparmor is unconfined when apparmor is not supported": {
+			profile: unconfinedProfile,
+			disable: true,
+		},
+		"should not apparmor when apparmor is unconfined": {
+			profile: unconfinedProfile,
+		},
+		"should not apparmor when apparmor is unconfined and privileged is true": {
+			profile:    unconfinedProfile,
+			privileged: true,
+		},
 		"should set default apparmor when apparmor is runtime/default": {
 			profile:  runtimeDefault,
 			specOpts: apparmor.WithDefaultProfile(appArmorDefaultProfileName),

diff --git a/vendor.conf b/vendor.conf
@@ -64,5 +64,5 @@ k8s.io/apimachinery 4fd33e5925599d66528ef4f1a5c80f4aa2e27c98
 k8s.io/apiserver c1e53d745d0fe45bf7d5d44697e6eface25fceca
 k8s.io/client-go 82aa063804cf055e16e8911250f888bc216e8b61
 k8s.io/kube-openapi abfc5fbe1cf87ee697db107fdfd24c32fe4397a8
-k8s.io/kubernetes v1.8.0
+k8s.io/kubernetes 5e96f7cae900f71389f3fa291aa307169a44a65a
 k8s.io/utils 4fe312863be2155a7b68acd2aff1c9221b24e68c
diff --git a/vendor/k8s.io/kubernetes/README.md b/vendor/k8s.io/kubernetes/README.md
diff --git a/vendor/k8s.io/kubernetes/pkg/api/types.go b/vendor/k8s.io/kubernetes/pkg/api/types.go
diff --git a/vendor/k8s.io/kubernetes/pkg/api/zz_generated.deepcopy.go b/vendor/k8s.io/kubernetes/pkg/api/zz_generated.deepcopy.go
diff --git a/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go b/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go
diff --git a/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.proto b/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.proto