support apparmor
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
This commit is contained in:
Xianglin Gao
parent
be32aa566e
commit
71b80591e3
2 changed files with 33 additions and 0 deletions
|
|
@ -182,6 +182,13 @@ func (s *Server) createSandboxContainer(containerID string, containerName string
|
||||||
specgen.AddAnnotation(k, v)
|
specgen.AddAnnotation(k, v)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// set this container's apparmor profile if it is set by sandbox
|
||||||
|
appArmorProfileName := GetAppArmorProfileName(sb.annotations, metadata.GetName())
|
||||||
|
if appArmorProfileName != "" {
|
||||||
|
specgen.SetProcessApparmorProfile(appArmorProfileName)
|
||||||
|
}
|
||||||
|
|
||||||
if containerConfig.GetLinux().GetSecurityContext().GetPrivileged() {
|
if containerConfig.GetLinux().GetSecurityContext().GetPrivileged() {
|
||||||
specgen.SetupPrivileged(true)
|
specgen.SetupPrivileged(true)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,14 @@ const (
|
||||||
// According to http://man7.org/linux/man-pages/man5/resolv.conf.5.html:
|
// According to http://man7.org/linux/man-pages/man5/resolv.conf.5.html:
|
||||||
// "The search list is currently limited to six domains with a total of 256 characters."
|
// "The search list is currently limited to six domains with a total of 256 characters."
|
||||||
maxDNSSearches = 6
|
maxDNSSearches = 6
|
||||||
|
|
||||||
|
// ContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container profile.
|
||||||
|
ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
|
||||||
|
|
||||||
|
// ProfileRuntimeDefault is he profile specifying the runtime default.
|
||||||
|
ProfileRuntimeDefault = "runtime/default"
|
||||||
|
// ProfileNamePrefix is the prefix for specifying profiles loaded on the node.
|
||||||
|
ProfileNamePrefix = "localhost/"
|
||||||
)
|
)
|
||||||
|
|
||||||
func int64Ptr(i int64) *int64 {
|
func int64Ptr(i int64) *int64 {
|
||||||
|
|
@ -156,3 +164,21 @@ func SysctlsFromPodAnnotation(annotation string) ([]Sysctl, error) {
|
||||||
}
|
}
|
||||||
return sysctls, nil
|
return sysctls, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetAppArmorProfileName gets the profile name for the given container.
|
||||||
|
func GetAppArmorProfileName(annotations map[string]string, ctrName string) string {
|
||||||
|
profile := GetProfileNameFromPodAnnotations(annotations, ctrName)
|
||||||
|
if profile == "" || profile == ProfileRuntimeDefault {
|
||||||
|
// If the value is runtime/default, then it is equivalent to not specifying a profile.
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
|
profileName := strings.TrimPrefix(profile, ProfileNamePrefix)
|
||||||
|
return profileName
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetProfileNameFromPodAnnotations gets the name of the profile to use with container from
|
||||||
|
// pod annotations
|
||||||
|
func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string {
|
||||||
|
return annotations[ContainerAnnotationKeyPrefix+containerName]
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue