Commit e693a619 authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #31659 from timstclair/aa-nodestatus

Automatic merge from submit-queue Append "AppArmor enabled" to the Node ready condition message As discussed, add a "AppArmor enabled" message to the node ready condition message. This is a temporary solution to surfacing the AppArmor status until node feature reporting is enabled. Example: ``` $ kubectl get nodes e2e-test-stclair-minion-group-lmvk -o yaml ... - lastHeartbeatTime: 2016-08-30T00:52:11Z lastTransitionTime: 2016-08-30T00:43:28Z message: kubelet is posting ready status. AppArmor enabled reason: KubeletReady status: "True" type: Ready ... ``` --- 1.4 justification: - Risk: Low. This is a small change to append a human readable message. - Rollback: Nothing depends on this functionality. - Cost: Not knowing whether AppArmor is actually supported by a node. Although pods should be rejected if it's not enabled, we can't do anything for older (< v1.4) nodes. This positive affirmation provides confirmation that AppArmor is enabled for the current version.
parents 07556d5e 3808243b
...@@ -77,6 +77,7 @@ import ( ...@@ -77,6 +77,7 @@ import (
"k8s.io/kubernetes/pkg/kubelet/util/sliceutils" "k8s.io/kubernetes/pkg/kubelet/util/sliceutils"
"k8s.io/kubernetes/pkg/kubelet/volumemanager" "k8s.io/kubernetes/pkg/kubelet/volumemanager"
"k8s.io/kubernetes/pkg/runtime" "k8s.io/kubernetes/pkg/runtime"
"k8s.io/kubernetes/pkg/security/apparmor"
"k8s.io/kubernetes/pkg/types" "k8s.io/kubernetes/pkg/types"
"k8s.io/kubernetes/pkg/util/bandwidth" "k8s.io/kubernetes/pkg/util/bandwidth"
"k8s.io/kubernetes/pkg/util/clock" "k8s.io/kubernetes/pkg/util/clock"
...@@ -736,7 +737,8 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Kub ...@@ -736,7 +737,8 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Kub
klet.AddPodSyncLoopHandler(activeDeadlineHandler) klet.AddPodSyncLoopHandler(activeDeadlineHandler)
klet.AddPodSyncHandler(activeDeadlineHandler) klet.AddPodSyncHandler(activeDeadlineHandler)
klet.AddPodAdmitHandler(lifecycle.NewAppArmorAdmitHandler(kubeCfg.ContainerRuntime)) klet.appArmorValidator = apparmor.NewValidator(kubeCfg.ContainerRuntime)
klet.AddPodAdmitHandler(lifecycle.NewAppArmorAdmitHandler(klet.appArmorValidator))
// apply functional Option's // apply functional Option's
for _, opt := range kubeDeps.Options { for _, opt := range kubeDeps.Options {
...@@ -1041,6 +1043,9 @@ type Kubelet struct { ...@@ -1041,6 +1043,9 @@ type Kubelet struct {
// The bit of the fwmark space to mark packets for dropping. // The bit of the fwmark space to mark packets for dropping.
iptablesDropBit int iptablesDropBit int
// The AppArmor validator for checking whether AppArmor is supported.
appArmorValidator apparmor.Validator
} }
// setupDataDirs creates: // setupDataDirs creates:
......
...@@ -489,6 +489,13 @@ func (kl *Kubelet) setNodeReadyCondition(node *api.Node) { ...@@ -489,6 +489,13 @@ func (kl *Kubelet) setNodeReadyCondition(node *api.Node) {
} }
} }
// Append AppArmor status if it's enabled.
// TODO(timstclair): This is a temporary message until node feature reporting is added.
if newNodeReadyCondition.Status == api.ConditionTrue &&
kl.appArmorValidator != nil && kl.appArmorValidator.ValidateHost() == nil {
newNodeReadyCondition.Message = fmt.Sprintf("%s. AppArmor enabled", newNodeReadyCondition.Message)
}
// Record any soft requirements that were not met in the container manager. // Record any soft requirements that were not met in the container manager.
status := kl.containerManager.Status() status := kl.containerManager.Status()
if status.SoftRequirements != nil { if status.SoftRequirements != nil {
......
...@@ -144,9 +144,9 @@ func getHttpRespBody(resp *http.Response) string { ...@@ -144,9 +144,9 @@ func getHttpRespBody(resp *http.Response) string {
return "" return ""
} }
func NewAppArmorAdmitHandler(runtime string) PodAdmitHandler { func NewAppArmorAdmitHandler(validator apparmor.Validator) PodAdmitHandler {
return &appArmorAdmitHandler{ return &appArmorAdmitHandler{
Validator: apparmor.NewValidator(runtime), Validator: validator,
} }
} }
......
...@@ -37,6 +37,7 @@ var isDisabledBuild bool ...@@ -37,6 +37,7 @@ var isDisabledBuild bool
// Interface for validating that a pod with with an AppArmor profile can be run by a Node. // Interface for validating that a pod with with an AppArmor profile can be run by a Node.
type Validator interface { type Validator interface {
Validate(pod *api.Pod) error Validate(pod *api.Pod) error
ValidateHost() error
} }
func NewValidator(runtime string) Validator { func NewValidator(runtime string) Validator {
...@@ -64,7 +65,7 @@ func (v *validator) Validate(pod *api.Pod) error { ...@@ -64,7 +65,7 @@ func (v *validator) Validate(pod *api.Pod) error {
return nil return nil
} }
if v.validateHostErr != nil { if v.ValidateHost() != nil {
return v.validateHostErr return v.validateHostErr
} }
...@@ -87,6 +88,10 @@ func (v *validator) Validate(pod *api.Pod) error { ...@@ -87,6 +88,10 @@ func (v *validator) Validate(pod *api.Pod) error {
return nil return nil
} }
func (v *validator) ValidateHost() error {
return v.validateHostErr
}
// Verify that the host and runtime is capable of enforcing AppArmor profiles. // Verify that the host and runtime is capable of enforcing AppArmor profiles.
func validateHost(runtime string) error { func validateHost(runtime string) error {
// Check feature-gates // Check feature-gates
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment