k8s.io/kubernetes@v1.29.3/pkg/security/apparmor/validate.go (about) 1 /* 2 Copyright 2016 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package apparmor 18 19 import ( 20 "errors" 21 "fmt" 22 "strings" 23 24 "github.com/opencontainers/runc/libcontainer/apparmor" 25 v1 "k8s.io/api/core/v1" 26 utilfeature "k8s.io/apiserver/pkg/util/feature" 27 podutil "k8s.io/kubernetes/pkg/api/v1/pod" 28 "k8s.io/kubernetes/pkg/apis/core/validation" 29 "k8s.io/kubernetes/pkg/features" 30 ) 31 32 // Whether AppArmor should be disabled by default. 33 // Set to true if the wrong build tags are set (see validate_disabled.go). 34 var isDisabledBuild bool 35 36 // Validator is a interface for validating that a pod with an AppArmor profile can be run by a Node. 37 type Validator interface { 38 Validate(pod *v1.Pod) error 39 ValidateHost() error 40 } 41 42 // NewValidator is in order to find AppArmor FS 43 func NewValidator() Validator { 44 if err := validateHost(); err != nil { 45 return &validator{validateHostErr: err} 46 } 47 return &validator{} 48 } 49 50 type validator struct { 51 validateHostErr error 52 } 53 54 func (v *validator) Validate(pod *v1.Pod) error { 55 if !isRequired(pod) { 56 return nil 57 } 58 59 if v.ValidateHost() != nil { 60 return v.validateHostErr 61 } 62 63 var retErr error 64 podutil.VisitContainers(&pod.Spec, podutil.AllContainers, func(container *v1.Container, containerType podutil.ContainerType) bool { 65 profile := GetProfileName(pod, container.Name) 66 retErr = validation.ValidateAppArmorProfileFormat(profile) 67 if retErr != nil { 68 return false 69 } 70 // TODO(#64841): This would ideally be part of validation.ValidateAppArmorProfileFormat, but 71 // that is called for API validation, and this is tightening validation. 72 if strings.HasPrefix(profile, v1.AppArmorBetaProfileNamePrefix) { 73 if strings.TrimSpace(strings.TrimPrefix(profile, v1.AppArmorBetaProfileNamePrefix)) == "" { 74 retErr = fmt.Errorf("invalid empty AppArmor profile name: %q", profile) 75 return false 76 } 77 } 78 return true 79 }) 80 81 return retErr 82 } 83 84 // ValidateHost verifies that the host and runtime is capable of enforcing AppArmor profiles. 85 // Note, this is intentionally only check the host at kubelet startup and never re-evaluates the host 86 // as the expectation is that the kubelet restart will be needed to enable or disable AppArmor support. 87 func (v *validator) ValidateHost() error { 88 return v.validateHostErr 89 } 90 91 // validateHost verifies that the host and runtime is capable of enforcing AppArmor profiles. 92 func validateHost() error { 93 // Check feature-gates 94 if !utilfeature.DefaultFeatureGate.Enabled(features.AppArmor) { 95 return errors.New("AppArmor disabled by feature-gate") 96 } 97 98 // Check build support. 99 if isDisabledBuild { 100 return errors.New("binary not compiled for linux") 101 } 102 103 // Check kernel support. 104 if !apparmor.IsEnabled() { 105 return errors.New("AppArmor is not enabled on the host") 106 } 107 108 return nil 109 }