vendor update for E2E framework

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2025-06-13 10:33:35 +00:00 · 2019-05-31 15:15:11 +05:30
parent 9bb23e4e32
commit d300da19b7
2149 changed files with 598692 additions and 14107 deletions
--- a/vendor/k8s.io/kubernetes/pkg/security/apparmor/helpers.go
+++ b/vendor/k8s.io/kubernetes/pkg/security/apparmor/helpers.go
@ -0,0 +1,80 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apparmor
+
+import (
+	"strings"
+
+	"k8s.io/api/core/v1"
+)
+
+// TODO: Move these values into the API package.
+const (
+	// The prefix to an annotation key specifying a container profile.
+	ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
+	// The annotation key specifying the default AppArmor profile.
+	DefaultProfileAnnotationKey = "apparmor.security.beta.kubernetes.io/defaultProfileName"
+	// The annotation key specifying the allowed AppArmor profiles.
+	AllowedProfilesAnnotationKey = "apparmor.security.beta.kubernetes.io/allowedProfileNames"
+
+	// The profile specifying the runtime default.
+	ProfileRuntimeDefault = "runtime/default"
+	// The prefix for specifying profiles loaded on the node.
+	ProfileNamePrefix = "localhost/"
+
+	// Unconfined profile
+	ProfileNameUnconfined = "unconfined"
+)
+
+// Checks whether app armor is required for pod to be run.
+func isRequired(pod *v1.Pod) bool {
+	for key, value := range pod.Annotations {
+		if strings.HasPrefix(key, ContainerAnnotationKeyPrefix) {
+			return value != ProfileNameUnconfined
+		}
+	}
+	return false
+}
+
+// Returns the name of the profile to use with the container.
+func GetProfileName(pod *v1.Pod, containerName string) string {
+	return GetProfileNameFromPodAnnotations(pod.Annotations, containerName)
+}
+
+// GetProfileNameFromPodAnnotations gets the name of the profile to use with container from
+// pod annotations
+func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string {
+	return annotations[ContainerAnnotationKeyPrefix+containerName]
+}
+
+// Sets the name of the profile to use with the container.
+func SetProfileName(pod *v1.Pod, containerName, profileName string) error {
+	if pod.Annotations == nil {
+		pod.Annotations = map[string]string{}
+	}
+	pod.Annotations[ContainerAnnotationKeyPrefix+containerName] = profileName
+	return nil
+}
+
+// Sets the name of the profile to use with the container.
+func SetProfileNameFromPodAnnotations(annotations map[string]string, containerName, profileName string) error {
+	if annotations == nil {
+		return nil
+	}
+	annotations[ContainerAnnotationKeyPrefix+containerName] = profileName
+	return nil
+}
--- a/vendor/k8s.io/kubernetes/pkg/security/apparmor/validate.go
+++ b/vendor/k8s.io/kubernetes/pkg/security/apparmor/validate.go
@ -0,0 +1,229 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apparmor
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"strings"
+
+	"k8s.io/api/core/v1"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/kubernetes/pkg/features"
+	kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
+	utilpath "k8s.io/utils/path"
+)
+
+// Whether AppArmor should be disabled by default.
+// Set to true if the wrong build tags are set (see validate_disabled.go).
+var isDisabledBuild bool
+
+// Interface for validating that a pod with an AppArmor profile can be run by a Node.
+type Validator interface {
+	Validate(pod *v1.Pod) error
+	ValidateHost() error
+}
+
+func NewValidator(runtime string) Validator {
+	if err := validateHost(runtime); err != nil {
+		return &validator{validateHostErr: err}
+	}
+	appArmorFS, err := getAppArmorFS()
+	if err != nil {
+		return &validator{
+			validateHostErr: fmt.Errorf("error finding AppArmor FS: %v", err),
+		}
+	}
+	return &validator{
+		appArmorFS: appArmorFS,
+	}
+}
+
+type validator struct {
+	validateHostErr error
+	appArmorFS      string
+}
+
+func (v *validator) Validate(pod *v1.Pod) error {
+	if !isRequired(pod) {
+		return nil
+	}
+
+	if v.ValidateHost() != nil {
+		return v.validateHostErr
+	}
+
+	loadedProfiles, err := v.getLoadedProfiles()
+	if err != nil {
+		return fmt.Errorf("could not read loaded profiles: %v", err)
+	}
+
+	for _, container := range pod.Spec.InitContainers {
+		if err := validateProfile(GetProfileName(pod, container.Name), loadedProfiles); err != nil {
+			return err
+		}
+	}
+	for _, container := range pod.Spec.Containers {
+		if err := validateProfile(GetProfileName(pod, container.Name), loadedProfiles); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (v *validator) ValidateHost() error {
+	return v.validateHostErr
+}
+
+// Verify that the host and runtime is capable of enforcing AppArmor profiles.
+func validateHost(runtime string) error {
+	// Check feature-gates
+	if !utilfeature.DefaultFeatureGate.Enabled(features.AppArmor) {
+		return errors.New("AppArmor disabled by feature-gate")
+	}
+
+	// Check build support.
+	if isDisabledBuild {
+		return errors.New("Binary not compiled for linux")
+	}
+
+	// Check kernel support.
+	if !IsAppArmorEnabled() {
+		return errors.New("AppArmor is not enabled on the host")
+	}
+
+	// Check runtime support. Currently only Docker is supported.
+	if runtime != kubetypes.DockerContainerRuntime && runtime != kubetypes.RemoteContainerRuntime {
+		return fmt.Errorf("AppArmor is only enabled for 'docker' and 'remote' runtimes. Found: %q.", runtime)
+	}
+
+	return nil
+}
+
+// Verify that the profile is valid and loaded.
+func validateProfile(profile string, loadedProfiles map[string]bool) error {
+	if err := ValidateProfileFormat(profile); err != nil {
+		return err
+	}
+
+	if strings.HasPrefix(profile, ProfileNamePrefix) {
+		profileName := strings.TrimPrefix(profile, ProfileNamePrefix)
+		if !loadedProfiles[profileName] {
+			return fmt.Errorf("profile %q is not loaded", profileName)
+		}
+	}
+
+	return nil
+}
+
+func ValidateProfileFormat(profile string) error {
+	if profile == "" || profile == ProfileRuntimeDefault || profile == ProfileNameUnconfined {
+		return nil
+	}
+	if !strings.HasPrefix(profile, ProfileNamePrefix) {
+		return fmt.Errorf("invalid AppArmor profile name: %q", profile)
+	}
+	return nil
+}
+
+func (v *validator) getLoadedProfiles() (map[string]bool, error) {
+	profilesPath := path.Join(v.appArmorFS, "profiles")
+	profilesFile, err := os.Open(profilesPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open %s: %v", profilesPath, err)
+	}
+	defer profilesFile.Close()
+
+	profiles := map[string]bool{}
+	scanner := bufio.NewScanner(profilesFile)
+	for scanner.Scan() {
+		profileName := parseProfileName(scanner.Text())
+		if profileName == "" {
+			// Unknown line format; skip it.
+			continue
+		}
+		profiles[profileName] = true
+	}
+	return profiles, nil
+}
+
+// The profiles file is formatted with one profile per line, matching a form:
+//   namespace://profile-name (mode)
+//   profile-name (mode)
+// Where mode is {enforce, complain, kill}. The "namespace://" is only included for namespaced
+// profiles. For the purposes of Kubernetes, we consider the namespace part of the profile name.
+func parseProfileName(profileLine string) string {
+	modeIndex := strings.IndexRune(profileLine, '(')
+	if modeIndex < 0 {
+		return ""
+	}
+	return strings.TrimSpace(profileLine[:modeIndex])
+}
+
+func getAppArmorFS() (string, error) {
+	mountsFile, err := os.Open("/proc/mounts")
+	if err != nil {
+		return "", fmt.Errorf("could not open /proc/mounts: %v", err)
+	}
+	defer mountsFile.Close()
+
+	scanner := bufio.NewScanner(mountsFile)
+	for scanner.Scan() {
+		fields := strings.Fields(scanner.Text())
+		if len(fields) < 3 {
+			// Unknown line format; skip it.
+			continue
+		}
+		if fields[2] == "securityfs" {
+			appArmorFS := path.Join(fields[1], "apparmor")
+			if ok, err := utilpath.Exists(utilpath.CheckFollowSymlink, appArmorFS); !ok {
+				msg := fmt.Sprintf("path %s does not exist", appArmorFS)
+				if err != nil {
+					return "", fmt.Errorf("%s: %v", msg, err)
+				} else {
+					return "", errors.New(msg)
+				}
+			} else {
+				return appArmorFS, nil
+			}
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		return "", fmt.Errorf("error scanning mounts: %v", err)
+	}
+
+	return "", errors.New("securityfs not found")
+}
+
+// IsAppArmorEnabled returns true if apparmor is enabled for the host.
+// This function is forked from
+// https://github.com/opencontainers/runc/blob/1a81e9ab1f138c091fe5c86d0883f87716088527/libcontainer/apparmor/apparmor.go
+// to avoid the libapparmor dependency.
+func IsAppArmorEnabled() bool {
+	if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {
+		if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {
+			buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
+			return err == nil && len(buf) > 1 && buf[0] == 'Y'
+		}
+	}
+	return false
+}
--- a/vendor/k8s.io/kubernetes/pkg/security/apparmor/validate_disabled.go
+++ b/vendor/k8s.io/kubernetes/pkg/security/apparmor/validate_disabled.go
@ -0,0 +1,24 @@
+// +build !linux
+
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apparmor
+
+func init() {
+	// If Kubernetes was not built for linux, apparmor is always disabled.
+	isDisabledBuild = true
+}