From 611960f5d8cc511806eede6151c614e77858a493 Mon Sep 17 00:00:00 2001 From: Thomas Anderson <127358482+zc-devs@users.noreply.github.com> Date: Fri, 5 Jan 2024 17:29:46 +0300 Subject: [PATCH 1/4] Added seccomp --- pipeline/backend/kubernetes/pod.go | 31 ++++++++++++++++--- pipeline/backend/kubernetes/pod_test.go | 20 ++++++++++-- pipeline/backend/types/backend_kubernetes.go | 16 +++++++--- pipeline/frontend/yaml/compiler/convert.go | 6 ++++ .../frontend/yaml/linter/schema/schema.json | 15 +++++++++ .../frontend/yaml/types/backend_options.go | 16 +++++++--- 6 files changed, 86 insertions(+), 18 deletions(-) diff --git a/pipeline/backend/kubernetes/pod.go b/pipeline/backend/kubernetes/pod.go index eb85f9f46e..3e5028339e 100644 --- a/pipeline/backend/kubernetes/pod.go +++ b/pipeline/backend/kubernetes/pod.go @@ -305,6 +305,7 @@ func podSecurityContext(sc *types.SecurityContext, secCtxConf SecurityContextCon user *int64 group *int64 fsGroup *int64 + seccomp *v1.SeccompProfile ) if sc != nil && sc.RunAsNonRoot != nil { @@ -321,20 +322,40 @@ func podSecurityContext(sc *types.SecurityContext, secCtxConf SecurityContextCon fsGroup = sc.FSGroup } - if nonRoot == nil && user == nil && group == nil && fsGroup == nil { + if sc != nil { + seccomp = seccompProfile(sc.SeccompProfile) + } + + if nonRoot == nil && user == nil && group == nil && fsGroup == nil && seccomp == nil { return nil } securityContext := &v1.PodSecurityContext{ - RunAsNonRoot: nonRoot, - RunAsUser: user, - RunAsGroup: group, - FSGroup: fsGroup, + RunAsNonRoot: nonRoot, + RunAsUser: user, + RunAsGroup: group, + FSGroup: fsGroup, + SeccompProfile: seccomp, } log.Trace().Msgf("Pod security context that will be used: %v", securityContext) return securityContext } +func seccompProfile(scp *types.SeccompProfile) *v1.SeccompProfile { + if scp == nil || len(scp.Type) == 0 { + return nil + } + + seccompProfile := &v1.SeccompProfile{ + Type: v1.SeccompProfileType(scp.Type), + } + if len(scp.LocalhostProfile) > 0 { + seccompProfile.LocalhostProfile = &scp.LocalhostProfile + } + + return seccompProfile +} + func containerSecurityContext(sc *types.SecurityContext, stepPrivileged bool) *v1.SecurityContext { var privileged *bool diff --git a/pipeline/backend/kubernetes/pod_test.go b/pipeline/backend/kubernetes/pod_test.go index fe33cb6307..f5ad21498a 100644 --- a/pipeline/backend/kubernetes/pod_test.go +++ b/pipeline/backend/kubernetes/pod_test.go @@ -203,7 +203,11 @@ func TestFullPod(t *testing.T) { "runAsUser": 101, "runAsGroup": 101, "runAsNonRoot": true, - "fsGroup": 101 + "fsGroup": 101, + "seccompProfile": { + "type": "Localhost", + "localhostProfile": "profiles/audit.json" + } }, "imagePullSecrets": [ { @@ -242,14 +246,24 @@ func TestFullPod(t *testing.T) { {Name: "cloudflare", IP: "1.1.1.1"}, {Name: "cf.v6", IP: "2606:4700:4700::64"}, } + secCtx := types.SecurityContext{ + Privileged: newBool(true), + RunAsNonRoot: newBool(true), + RunAsUser: newInt64(101), + RunAsGroup: newInt64(101), + FSGroup: newInt64(101), + SeccompProfile: &types.SeccompProfile{ + Type: "Localhost", + LocalhostProfile: "profiles/audit.json", + }, + } pod, err := mkPod("woodpecker", "wp-01he8bebctabr3kgk0qj36d2me-0", "meltwater/drone-cache", "/woodpecker/src", "linux/amd64", "wp-svc-acc", true, true, []string{"go get", "go test"}, []string{"woodpecker-cache:/woodpecker/src/cache"}, []string{"regcred", "another-pull-secret"}, map[string]string{"app": "test"}, map[string]string{"apparmor.security": "runtime/default"}, map[string]string{"CGO": "0"}, map[string]string{"storage": "ssd"}, hostAliases, []types.Toleration{{Key: "net-port", Value: "100Mbit", Effect: types.TaintEffectNoSchedule}}, types.Resources{Requests: map[string]string{"memory": "128Mi", "cpu": "1000m"}, Limits: map[string]string{"memory": "256Mi", "cpu": "2"}}, - &types.SecurityContext{Privileged: newBool(true), RunAsNonRoot: newBool(true), RunAsUser: newInt64(101), RunAsGroup: newInt64(101), FSGroup: newInt64(101)}, - SecurityContextConfig{RunAsNonRoot: false}, + &secCtx, SecurityContextConfig{RunAsNonRoot: false}, ) assert.NoError(t, err) diff --git a/pipeline/backend/types/backend_kubernetes.go b/pipeline/backend/types/backend_kubernetes.go index 2077644350..47325b62e2 100644 --- a/pipeline/backend/types/backend_kubernetes.go +++ b/pipeline/backend/types/backend_kubernetes.go @@ -54,9 +54,15 @@ const ( ) type SecurityContext struct { - Privileged *bool `json:"privileged,omitempty"` - RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"` - RunAsUser *int64 `json:"runAsUser,omitempty"` - RunAsGroup *int64 `json:"runAsGroup,omitempty"` - FSGroup *int64 `json:"fsGroup,omitempty"` + Privileged *bool `json:"privileged,omitempty"` + RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"` + RunAsUser *int64 `json:"runAsUser,omitempty"` + RunAsGroup *int64 `json:"runAsGroup,omitempty"` + FSGroup *int64 `json:"fsGroup,omitempty"` + SeccompProfile *SeccompProfile `json:"seccompProfile,omitempty"` +} + +type SeccompProfile struct { + Type string `json:"type,omitempty"` + LocalhostProfile string `json:"localhostProfile,omitempty"` } diff --git a/pipeline/frontend/yaml/compiler/convert.go b/pipeline/frontend/yaml/compiler/convert.go index 186ca8f1d3..54057ba254 100644 --- a/pipeline/frontend/yaml/compiler/convert.go +++ b/pipeline/frontend/yaml/compiler/convert.go @@ -241,6 +241,12 @@ func convertKubernetesBackendOptions(kubeOpt *yaml_types.KubernetesBackendOption RunAsGroup: kubeOpt.SecurityContext.RunAsGroup, FSGroup: kubeOpt.SecurityContext.FSGroup, } + if kubeOpt.SecurityContext.SeccompProfile != nil { + securityContext.SeccompProfile = &backend_types.SeccompProfile{ + Type: kubeOpt.SecurityContext.SeccompProfile.Type, + LocalhostProfile: kubeOpt.SecurityContext.SeccompProfile.LocalhostProfile, + } + } } return backend_types.KubernetesBackendOptions{ diff --git a/pipeline/frontend/yaml/linter/schema/schema.json b/pipeline/frontend/yaml/linter/schema/schema.json index 37a99bdfc0..e12bb0fd7f 100644 --- a/pipeline/frontend/yaml/linter/schema/schema.json +++ b/pipeline/frontend/yaml/linter/schema/schema.json @@ -729,6 +729,21 @@ }, "fsGroup": { "type": "number" + }, + "seccompProfile": { + "$ref": "#/definitions/step_backend_kubernetes_seccomp" + } + } + }, + "step_backend_kubernetes_seccomp": { + "description": "Pods seccomp profile. Read more: https://woodpecker-ci.org/docs/administration/backends/kubernetes", + "type": "object", + "properties": { + "type": { + "type": "string" + }, + "localhostProfile": { + "type": "string" } } }, diff --git a/pipeline/frontend/yaml/types/backend_options.go b/pipeline/frontend/yaml/types/backend_options.go index 245f7e0d3c..a568b14b39 100644 --- a/pipeline/frontend/yaml/types/backend_options.go +++ b/pipeline/frontend/yaml/types/backend_options.go @@ -56,9 +56,15 @@ const ( ) type SecurityContext struct { - Privileged *bool `yaml:"privileged,omitempty"` - RunAsNonRoot *bool `yaml:"runAsNonRoot,omitempty"` - RunAsUser *int64 `yaml:"runAsUser,omitempty"` - RunAsGroup *int64 `yaml:"runAsGroup,omitempty"` - FSGroup *int64 `yaml:"fsGroup,omitempty"` + Privileged *bool `yaml:"privileged,omitempty"` + RunAsNonRoot *bool `yaml:"runAsNonRoot,omitempty"` + RunAsUser *int64 `yaml:"runAsUser,omitempty"` + RunAsGroup *int64 `yaml:"runAsGroup,omitempty"` + FSGroup *int64 `yaml:"fsGroup,omitempty"` + SeccompProfile *SeccompProfile `yaml:"seccompProfile,omitempty"` +} + +type SeccompProfile struct { + Type string `yaml:"type,omitempty"` + LocalhostProfile string `yaml:"localhostProfile,omitempty"` } From e06a8227e00e8458220434733d85244288bae37b Mon Sep 17 00:00:00 2001 From: Thomas Anderson <127358482+zc-devs@users.noreply.github.com> Date: Fri, 5 Jan 2024 17:30:08 +0300 Subject: [PATCH 2/4] Added AppArmor --- pipeline/backend/kubernetes/pod.go | 42 +++++++++++++++++-- pipeline/backend/kubernetes/pod_test.go | 11 +++-- pipeline/backend/types/backend_kubernetes.go | 15 +++---- pipeline/frontend/yaml/compiler/convert.go | 8 +++- .../frontend/yaml/linter/schema/schema.json | 9 ++-- .../frontend/yaml/types/backend_options.go | 15 +++---- 6 files changed, 76 insertions(+), 24 deletions(-) diff --git a/pipeline/backend/kubernetes/pod.go b/pipeline/backend/kubernetes/pod.go index 3e5028339e..9ad095ccaf 100644 --- a/pipeline/backend/kubernetes/pod.go +++ b/pipeline/backend/kubernetes/pod.go @@ -43,7 +43,7 @@ func mkPod(namespace, name, image, workDir, goos, serviceAccountName string, ) (*v1.Pod, error) { var err error - meta := podMeta(name, namespace, labels, annotations) + meta := podMeta(name, namespace, labels, annotations, securityContext) spec, err := podSpec(serviceAccountName, vols, pullSecretNames, env, nodeSelector, extraHosts, tolerations, securityContext, securityContextConfig) @@ -70,13 +70,20 @@ func podName(step *types.Step) (string, error) { return dnsName(step.Name) } -func podMeta(name, namespace string, labels, annotations map[string]string) metav1.ObjectMeta { +func podMeta(name, namespace string, labels, annotations map[string]string, securityContext *types.SecurityContext) metav1.ObjectMeta { meta := metav1.ObjectMeta{ Name: name, Namespace: namespace, Annotations: annotations, } + if securityContext != nil { + key, value := apparmorAnnotation(name, securityContext.ApparmorProfile) + if key != nil && value != nil { + meta.Annotations[*key] = *value + } + } + if labels == nil { labels = make(map[string]string, 1) } @@ -341,7 +348,7 @@ func podSecurityContext(sc *types.SecurityContext, secCtxConf SecurityContextCon return securityContext } -func seccompProfile(scp *types.SeccompProfile) *v1.SeccompProfile { +func seccompProfile(scp *types.SecProfile) *v1.SeccompProfile { if scp == nil || len(scp.Type) == 0 { return nil } @@ -376,6 +383,35 @@ func containerSecurityContext(sc *types.SecurityContext, stepPrivileged bool) *v return securityContext } +func apparmorAnnotation(containerName string, scp *types.SecProfile) (*string, *string) { + if scp == nil { + return nil, nil + } + + var ( + profileType string + profilePath string + ) + + if scp.Type == "RuntimeDefault" { + profileType = "runtime" + profilePath = "default" + } + + if scp.Type == "Localhost" { + profileType = "localhost" + profilePath = scp.LocalhostProfile + } + + if len(profileType) == 0 { + return nil, nil + } + + key := "container.apparmor.security.beta.kubernetes.io/" + containerName + value := profileType + "/" + profilePath + return &key, &value +} + func mapToEnvVars(m map[string]string) []v1.EnvVar { var ev []v1.EnvVar for k, v := range m { diff --git a/pipeline/backend/kubernetes/pod_test.go b/pipeline/backend/kubernetes/pod_test.go index f5ad21498a..e812b63af7 100644 --- a/pipeline/backend/kubernetes/pod_test.go +++ b/pipeline/backend/kubernetes/pod_test.go @@ -129,7 +129,8 @@ func TestFullPod(t *testing.T) { "step": "wp-01he8bebctabr3kgk0qj36d2me-0" }, "annotations": { - "apparmor.security": "runtime/default" + "apps.kubernetes.io/pod-index": "0", + "container.apparmor.security.beta.kubernetes.io/wp-01he8bebctabr3kgk0qj36d2me-0": "localhost/k8s-apparmor-example-deny-write" } }, "spec": { @@ -252,15 +253,19 @@ func TestFullPod(t *testing.T) { RunAsUser: newInt64(101), RunAsGroup: newInt64(101), FSGroup: newInt64(101), - SeccompProfile: &types.SeccompProfile{ + SeccompProfile: &types.SecProfile{ Type: "Localhost", LocalhostProfile: "profiles/audit.json", }, + ApparmorProfile: &types.SecProfile{ + Type: "Localhost", + LocalhostProfile: "k8s-apparmor-example-deny-write", + }, } pod, err := mkPod("woodpecker", "wp-01he8bebctabr3kgk0qj36d2me-0", "meltwater/drone-cache", "/woodpecker/src", "linux/amd64", "wp-svc-acc", true, true, []string{"go get", "go test"}, []string{"woodpecker-cache:/woodpecker/src/cache"}, []string{"regcred", "another-pull-secret"}, - map[string]string{"app": "test"}, map[string]string{"apparmor.security": "runtime/default"}, map[string]string{"CGO": "0"}, map[string]string{"storage": "ssd"}, + map[string]string{"app": "test"}, map[string]string{"apps.kubernetes.io/pod-index": "0"}, map[string]string{"CGO": "0"}, map[string]string{"storage": "ssd"}, hostAliases, []types.Toleration{{Key: "net-port", Value: "100Mbit", Effect: types.TaintEffectNoSchedule}}, types.Resources{Requests: map[string]string{"memory": "128Mi", "cpu": "1000m"}, Limits: map[string]string{"memory": "256Mi", "cpu": "2"}}, &secCtx, SecurityContextConfig{RunAsNonRoot: false}, diff --git a/pipeline/backend/types/backend_kubernetes.go b/pipeline/backend/types/backend_kubernetes.go index 47325b62e2..94d7ee91a1 100644 --- a/pipeline/backend/types/backend_kubernetes.go +++ b/pipeline/backend/types/backend_kubernetes.go @@ -54,15 +54,16 @@ const ( ) type SecurityContext struct { - Privileged *bool `json:"privileged,omitempty"` - RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"` - RunAsUser *int64 `json:"runAsUser,omitempty"` - RunAsGroup *int64 `json:"runAsGroup,omitempty"` - FSGroup *int64 `json:"fsGroup,omitempty"` - SeccompProfile *SeccompProfile `json:"seccompProfile,omitempty"` + Privileged *bool `json:"privileged,omitempty"` + RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"` + RunAsUser *int64 `json:"runAsUser,omitempty"` + RunAsGroup *int64 `json:"runAsGroup,omitempty"` + FSGroup *int64 `json:"fsGroup,omitempty"` + SeccompProfile *SecProfile `json:"seccompProfile,omitempty"` + ApparmorProfile *SecProfile `json:"apparmorProfile,omitempty"` } -type SeccompProfile struct { +type SecProfile struct { Type string `json:"type,omitempty"` LocalhostProfile string `json:"localhostProfile,omitempty"` } diff --git a/pipeline/frontend/yaml/compiler/convert.go b/pipeline/frontend/yaml/compiler/convert.go index 54057ba254..adb772e0f4 100644 --- a/pipeline/frontend/yaml/compiler/convert.go +++ b/pipeline/frontend/yaml/compiler/convert.go @@ -242,7 +242,13 @@ func convertKubernetesBackendOptions(kubeOpt *yaml_types.KubernetesBackendOption FSGroup: kubeOpt.SecurityContext.FSGroup, } if kubeOpt.SecurityContext.SeccompProfile != nil { - securityContext.SeccompProfile = &backend_types.SeccompProfile{ + securityContext.SeccompProfile = &backend_types.SecProfile{ + Type: kubeOpt.SecurityContext.SeccompProfile.Type, + LocalhostProfile: kubeOpt.SecurityContext.SeccompProfile.LocalhostProfile, + } + } + if kubeOpt.SecurityContext.ApparmorProfile != nil { + securityContext.ApparmorProfile = &backend_types.SecProfile{ Type: kubeOpt.SecurityContext.SeccompProfile.Type, LocalhostProfile: kubeOpt.SecurityContext.SeccompProfile.LocalhostProfile, } diff --git a/pipeline/frontend/yaml/linter/schema/schema.json b/pipeline/frontend/yaml/linter/schema/schema.json index e12bb0fd7f..bdb4cccf79 100644 --- a/pipeline/frontend/yaml/linter/schema/schema.json +++ b/pipeline/frontend/yaml/linter/schema/schema.json @@ -731,12 +731,15 @@ "type": "number" }, "seccompProfile": { - "$ref": "#/definitions/step_backend_kubernetes_seccomp" + "$ref": "#/definitions/step_backend_kubernetes_secprofile" + }, + "apparmorProfile": { + "$ref": "#/definitions/step_backend_kubernetes_secprofile" } } }, - "step_backend_kubernetes_seccomp": { - "description": "Pods seccomp profile. Read more: https://woodpecker-ci.org/docs/administration/backends/kubernetes", + "step_backend_kubernetes_secprofile": { + "description": "Pods / containers security profile. Read more: https://woodpecker-ci.org/docs/administration/backends/kubernetes", "type": "object", "properties": { "type": { diff --git a/pipeline/frontend/yaml/types/backend_options.go b/pipeline/frontend/yaml/types/backend_options.go index a568b14b39..5c1a1b7a9c 100644 --- a/pipeline/frontend/yaml/types/backend_options.go +++ b/pipeline/frontend/yaml/types/backend_options.go @@ -56,15 +56,16 @@ const ( ) type SecurityContext struct { - Privileged *bool `yaml:"privileged,omitempty"` - RunAsNonRoot *bool `yaml:"runAsNonRoot,omitempty"` - RunAsUser *int64 `yaml:"runAsUser,omitempty"` - RunAsGroup *int64 `yaml:"runAsGroup,omitempty"` - FSGroup *int64 `yaml:"fsGroup,omitempty"` - SeccompProfile *SeccompProfile `yaml:"seccompProfile,omitempty"` + Privileged *bool `yaml:"privileged,omitempty"` + RunAsNonRoot *bool `yaml:"runAsNonRoot,omitempty"` + RunAsUser *int64 `yaml:"runAsUser,omitempty"` + RunAsGroup *int64 `yaml:"runAsGroup,omitempty"` + FSGroup *int64 `yaml:"fsGroup,omitempty"` + SeccompProfile *SecProfile `yaml:"seccompProfile,omitempty"` + ApparmorProfile *SecProfile `yaml:"apparmorProfile,omitempty"` } -type SeccompProfile struct { +type SecProfile struct { Type string `yaml:"type,omitempty"` LocalhostProfile string `yaml:"localhostProfile,omitempty"` } From 101fd46ebd70c58ef4418efbcb3d899bd7fc532c Mon Sep 17 00:00:00 2001 From: Thomas Anderson <127358482+zc-devs@users.noreply.github.com> Date: Fri, 5 Jan 2024 17:30:45 +0300 Subject: [PATCH 3/4] Improved code style --- pipeline/backend/kubernetes/pod.go | 6 +++--- pipeline/backend/types/backend_kubernetes.go | 11 +++++++++-- pipeline/frontend/yaml/compiler/convert.go | 4 ++-- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/pipeline/backend/kubernetes/pod.go b/pipeline/backend/kubernetes/pod.go index 9ad095ccaf..79ffa43d3b 100644 --- a/pipeline/backend/kubernetes/pod.go +++ b/pipeline/backend/kubernetes/pod.go @@ -393,12 +393,12 @@ func apparmorAnnotation(containerName string, scp *types.SecProfile) (*string, * profilePath string ) - if scp.Type == "RuntimeDefault" { + if scp.Type == types.SecProfileTypeRuntimeDefault { profileType = "runtime" profilePath = "default" } - if scp.Type == "Localhost" { + if scp.Type == types.SecProfileTypeLocalhost { profileType = "localhost" profilePath = scp.LocalhostProfile } @@ -407,7 +407,7 @@ func apparmorAnnotation(containerName string, scp *types.SecProfile) (*string, * return nil, nil } - key := "container.apparmor.security.beta.kubernetes.io/" + containerName + key := v1.AppArmorBetaContainerAnnotationKeyPrefix + containerName value := profileType + "/" + profilePath return &key, &value } diff --git a/pipeline/backend/types/backend_kubernetes.go b/pipeline/backend/types/backend_kubernetes.go index 94d7ee91a1..0c1a85ec1b 100644 --- a/pipeline/backend/types/backend_kubernetes.go +++ b/pipeline/backend/types/backend_kubernetes.go @@ -64,6 +64,13 @@ type SecurityContext struct { } type SecProfile struct { - Type string `json:"type,omitempty"` - LocalhostProfile string `json:"localhostProfile,omitempty"` + Type SecProfileType `json:"type,omitempty"` + LocalhostProfile string `json:"localhostProfile,omitempty"` } + +type SecProfileType string + +const ( + SecProfileTypeRuntimeDefault SecProfileType = "RuntimeDefault" + SecProfileTypeLocalhost SecProfileType = "Localhost" +) diff --git a/pipeline/frontend/yaml/compiler/convert.go b/pipeline/frontend/yaml/compiler/convert.go index adb772e0f4..449820cbac 100644 --- a/pipeline/frontend/yaml/compiler/convert.go +++ b/pipeline/frontend/yaml/compiler/convert.go @@ -243,13 +243,13 @@ func convertKubernetesBackendOptions(kubeOpt *yaml_types.KubernetesBackendOption } if kubeOpt.SecurityContext.SeccompProfile != nil { securityContext.SeccompProfile = &backend_types.SecProfile{ - Type: kubeOpt.SecurityContext.SeccompProfile.Type, + Type: backend_types.SecProfileType(kubeOpt.SecurityContext.SeccompProfile.Type), LocalhostProfile: kubeOpt.SecurityContext.SeccompProfile.LocalhostProfile, } } if kubeOpt.SecurityContext.ApparmorProfile != nil { securityContext.ApparmorProfile = &backend_types.SecProfile{ - Type: kubeOpt.SecurityContext.SeccompProfile.Type, + Type: backend_types.SecProfileType(kubeOpt.SecurityContext.SeccompProfile.Type), LocalhostProfile: kubeOpt.SecurityContext.SeccompProfile.LocalhostProfile, } } From ab295344f8eb72e78944550bd6b8405f88847341 Mon Sep 17 00:00:00 2001 From: Thomas Anderson <127358482+zc-devs@users.noreply.github.com> Date: Wed, 10 Jan 2024 15:50:01 +0300 Subject: [PATCH 4/4] Bug fixes - fixed converter (NPE) - fixed engine config corruption - added some logs --- pipeline/backend/kubernetes/pod.go | 10 +++++++--- pipeline/frontend/yaml/compiler/convert.go | 4 ++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/pipeline/backend/kubernetes/pod.go b/pipeline/backend/kubernetes/pod.go index 79ffa43d3b..d345d16ecc 100644 --- a/pipeline/backend/kubernetes/pod.go +++ b/pipeline/backend/kubernetes/pod.go @@ -72,11 +72,13 @@ func podName(step *types.Step) (string, error) { func podMeta(name, namespace string, labels, annotations map[string]string, securityContext *types.SecurityContext) metav1.ObjectMeta { meta := metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - Annotations: annotations, + Name: name, + Namespace: namespace, } + meta.Annotations = make(map[string]string) + maps.Copy(meta.Annotations, annotations) + if securityContext != nil { key, value := apparmorAnnotation(name, securityContext.ApparmorProfile) if key != nil && value != nil { @@ -352,6 +354,7 @@ func seccompProfile(scp *types.SecProfile) *v1.SeccompProfile { if scp == nil || len(scp.Type) == 0 { return nil } + log.Trace().Msgf("Using seccomp profile: %v", scp) seccompProfile := &v1.SeccompProfile{ Type: v1.SeccompProfileType(scp.Type), @@ -387,6 +390,7 @@ func apparmorAnnotation(containerName string, scp *types.SecProfile) (*string, * if scp == nil { return nil, nil } + log.Trace().Msgf("Using AppArmor profile: %v", scp) var ( profileType string diff --git a/pipeline/frontend/yaml/compiler/convert.go b/pipeline/frontend/yaml/compiler/convert.go index 449820cbac..c68360c0f2 100644 --- a/pipeline/frontend/yaml/compiler/convert.go +++ b/pipeline/frontend/yaml/compiler/convert.go @@ -249,8 +249,8 @@ func convertKubernetesBackendOptions(kubeOpt *yaml_types.KubernetesBackendOption } if kubeOpt.SecurityContext.ApparmorProfile != nil { securityContext.ApparmorProfile = &backend_types.SecProfile{ - Type: backend_types.SecProfileType(kubeOpt.SecurityContext.SeccompProfile.Type), - LocalhostProfile: kubeOpt.SecurityContext.SeccompProfile.LocalhostProfile, + Type: backend_types.SecProfileType(kubeOpt.SecurityContext.ApparmorProfile.Type), + LocalhostProfile: kubeOpt.SecurityContext.ApparmorProfile.LocalhostProfile, } } }