apparmor

package
v1.18.15 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 13, 2021 License: Apache-2.0 Imports: 13 Imported by: 276

Documentation

Index

Constants

View Source
const (
	// The prefix to an annotation key specifying a container profile.
	ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
	// The annotation key specifying the default AppArmor profile.
	DefaultProfileAnnotationKey = "apparmor.security.beta.kubernetes.io/defaultProfileName"
	// The annotation key specifying the allowed AppArmor profiles.
	AllowedProfilesAnnotationKey = "apparmor.security.beta.kubernetes.io/allowedProfileNames"

	// The profile specifying the runtime default.
	ProfileRuntimeDefault = "runtime/default"
	// The prefix for specifying profiles loaded on the node.
	ProfileNamePrefix = "localhost/"

	// Unconfined profile
	ProfileNameUnconfined = "unconfined"
)

TODO: Move these values into the API package.

Variables

This section is empty.

Functions

func GetProfileName

func GetProfileName(pod *v1.Pod, containerName string) string

GetProfileName returns the name of the profile to use with the container.

func GetProfileNameFromPodAnnotations added in v1.5.0

func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string

GetProfileNameFromPodAnnotations gets the name of the profile to use with container from pod annotations

func IsAppArmorEnabled

func IsAppArmorEnabled() bool

IsAppArmorEnabled returns true if apparmor is enabled for the host. This function is forked from https://github.com/opencontainers/runc/blob/1a81e9ab1f138c091fe5c86d0883f87716088527/libcontainer/apparmor/apparmor.go to avoid the libapparmor dependency.

func SetProfileName

func SetProfileName(pod *v1.Pod, containerName, profileName string) error

SetProfileName sets the name of the profile to use with the container.

func SetProfileNameFromPodAnnotations added in v1.6.0

func SetProfileNameFromPodAnnotations(annotations map[string]string, containerName, profileName string) error

SetProfileNameFromPodAnnotations sets the name of the profile to use with the container.

func ValidateProfileFormat

func ValidateProfileFormat(profile string) error

ValidateProfileFormat checks the format of the profile.

Types

type Validator

type Validator interface {
	Validate(pod *v1.Pod) error
	ValidateHost() error
}

Validator is a interface for validating that a pod with an AppArmor profile can be run by a Node.

func NewValidator

func NewValidator(runtime string) Validator

NewValidator is in order to find AppArmor FS

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL