Skip to content

Commit 632feeb

Browse files
xiaojieyk8s-ci-robot
xiaojiey
authored and
k8s-ci-robot
committed
Fix profilerecording failed to create selinuxprofile issue
Update SecurityContext for Apparmor
1 parent 5734672 commit 632feeb

File tree

1 file changed

+39
-3
lines changed

1 file changed

+39
-3
lines changed

internal/pkg/webhooks/recording/recording.go

Lines changed: 39 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -252,10 +252,12 @@ func (p *podSeccompRecorder) updateSecurityContext(
252252
}
253253

254254
switch pr.Spec.Kind {
255-
case profilerecordingv1alpha1.ProfileRecordingKindSeccompProfile,
256-
profilerecordingv1alpha1.ProfileRecordingKindSelinuxProfile,
257-
profilerecordingv1alpha1.ProfileRecordingKindAppArmorProfile:
255+
case profilerecordingv1alpha1.ProfileRecordingKindSeccompProfile:
258256
p.updateSeccompSecurityContext(ctr, pr)
257+
case profilerecordingv1alpha1.ProfileRecordingKindSelinuxProfile:
258+
p.updateSelinuxSecurityContext(ctr, pr)
259+
case profilerecordingv1alpha1.ProfileRecordingKindAppArmorProfile:
260+
p.updateApparmorSecurityContext(ctr, pr)
259261
}
260262

261263
p.log.Info(fmt.Sprintf(
@@ -290,6 +292,40 @@ func (p *podSeccompRecorder) updateSeccompSecurityContext(
290292
ctr.SecurityContext.SeccompProfile.LocalhostProfile = &profile
291293
}
292294

295+
func (p *podSeccompRecorder) updateSelinuxSecurityContext(
296+
ctr *corev1.Container,
297+
pr *profilerecordingv1alpha1.ProfileRecording,
298+
) {
299+
if ctr.SecurityContext == nil {
300+
ctr.SecurityContext = &corev1.SecurityContext{}
301+
}
302+
303+
if ctr.SecurityContext.SELinuxOptions == nil {
304+
ctr.SecurityContext.SELinuxOptions = &corev1.SELinuxOptions{}
305+
} else {
306+
p.record.Eventf(pr,
307+
corev1.EventTypeWarning,
308+
"SecurityContextAlreadySet",
309+
"Container %s had SecurityContext already set, the profile recorder overwrote it", ctr.Name)
310+
}
311+
312+
ctr.SecurityContext.SELinuxOptions.Type = config.SelinuxPermissiveProfile
313+
}
314+
315+
func (p *podSeccompRecorder) updateApparmorSecurityContext(
316+
ctr *corev1.Container,
317+
pr *profilerecordingv1alpha1.ProfileRecording,
318+
) {
319+
if pr.Spec.Recorder != profilerecordingv1alpha1.ProfileRecorderLogs {
320+
return
321+
}
322+
323+
p.record.Eventf(pr,
324+
corev1.EventTypeWarning,
325+
"AppArmorNotSupported",
326+
"AppArmor log-based recording is not supported, container: %s", ctr.Name)
327+
}
328+
293329
func (p *podSeccompRecorder) setRecordingReferences(
294330
ctx context.Context,
295331
op admissionv1.Operation,

0 commit comments

Comments
 (0)