LinuxContainerSecurityContext field apparmor_profile has been depreca…

…ted in favor of the newer structured apparmor field. Introduce new tests for new field Apparmor alongside the old ApparmorProfile Signed-off-by: roman-kiselenko <roman.kiselenko.dev@gmail.com>
kubernetes-sigs · Apr 22, 2024 · cd70a05 · cd70a05
1 parent 5c770d7
commit cd70a05
Showing 1 changed file with 34 additions and 7 deletions.
diff --git a/pkg/validate/apparmor_linux.go b/pkg/validate/apparmor_linux.go
@@ -82,37 +82,64 @@ var _ = framework.KubeDescribe("AppArmor", func() {
 			})
 
 			It("should fail with an unloaded profile", func() {
-				profile := apparmorProfileNamePrefix + "non-existent-profile"
+				profile := &runtimeapi.LinuxContainerSecurityContext{
+					ApparmorProfile: apparmorProfileNamePrefix + "non-existent-profile",
+				}
 				containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, false)
 				Expect(containerID).To(BeEmpty())
 			})
 
 			It("should enforce a profile blocking writes", func() {
-				profile := apparmorProfileNamePrefix + "cri-validate-apparmor-test-deny-write"
+				profile := &runtimeapi.LinuxContainerSecurityContext{
+					ApparmorProfile: apparmorProfileNamePrefix + "cri-validate-apparmor-test-deny-write",
+				}
 				containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true)
 				checkContainerApparmor(rc, containerID, false)
 			})
 
 			It("should enforce a permissive profile", func() {
-				profile := apparmorProfileNamePrefix + "cri-validate-apparmor-test-audit-write"
+				profile := &runtimeapi.LinuxContainerSecurityContext{
+					ApparmorProfile: apparmorProfileNamePrefix + "cri-validate-apparmor-test-audit-write",
+				}
 				containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true)
 				checkContainerApparmor(rc, containerID, true)
 			})
+
+			It("should work with another field", func() {
+				profile := &runtimeapi.LinuxContainerSecurityContext{
+					Apparmor: &runtimeapi.SecurityProfile{
+						ProfileType:  runtimeapi.SecurityProfile_Localhost,
+						LocalhostRef: apparmorProfileNamePrefix + "cri-validate-apparmor-test-deny-write",
+					},
+				}
+				containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true)
+				Expect(containerID).To(BeEmpty())
+			})
+
+			It("should work with different fields", func() {
+				profile := &runtimeapi.LinuxContainerSecurityContext{
+					ApparmorProfile: apparmorProfileNamePrefix + "non-existent-profile",
+					Apparmor: &runtimeapi.SecurityProfile{
+						ProfileType:  runtimeapi.SecurityProfile_Localhost,
+						LocalhostRef: apparmorProfileNamePrefix + "cri-validate-apparmor-test-deny-write",
+					},
+				}
+				containerID := createContainerWithAppArmor(rc, ic, sandboxID, sandboxConfig, profile, true)
+				Expect(containerID).To(BeEmpty())
+			})
 		})
 	}
 })
 
-func createContainerWithAppArmor(rc internalapi.RuntimeService, ic internalapi.ImageManagerService, sandboxID string, sandboxConfig *runtimeapi.PodSandboxConfig, profile string, shouldSucceed bool) string {
+func createContainerWithAppArmor(rc internalapi.RuntimeService, ic internalapi.ImageManagerService, sandboxID string, sandboxConfig *runtimeapi.PodSandboxConfig, profile *runtimeapi.LinuxContainerSecurityContext, shouldSucceed bool) string {
 	By("create a container with apparmor")
 	containerName := "apparmor-test-" + framework.NewUUID()
 	containerConfig := &runtimeapi.ContainerConfig{
 		Metadata: framework.BuildContainerMetadata(containerName, framework.DefaultAttempt),
 		Image:    &runtimeapi.ImageSpec{Image: framework.TestContext.TestImageList.DefaultTestContainerImage},
 		Command:  []string{"touch", "/tmp/foo"},
 		Linux: &runtimeapi.LinuxContainerConfig{
-			SecurityContext: &runtimeapi.LinuxContainerSecurityContext{
-				ApparmorProfile: profile,
-			},
+			SecurityContext: profile,
 		},
 	}