feat: Adapt AppArmor enforcer for K8s v1.30 and above

bytedance · Aug 20, 2024 · f62c5e7 · f62c5e7
1 parent 2cc429c
commit f62c5e7
Show file tree

Hide file tree

Showing 6 changed files with 581 additions and 66 deletions.
diff --git a/cmd/varmor/main.go b/cmd/varmor/main.go
@@ -135,6 +135,12 @@ func main() {
 		os.Exit(1)
 	}
 
+	config.AppArmorGA, err = varmorutils.IsAppArmorGA(config.ServerVersion)
+	if err != nil {
+		setupLog.Error(err, "varmorutils.IsAppArmorGA()")
+		os.Exit(1)
+	}
+
 	if debug {
 		gin.SetMode(gin.DebugMode)
 	} else {

diff --git a/internal/agent/utils.go b/internal/agent/utils.go
@@ -127,7 +127,7 @@ func isSeccompSupported(versionInfo *version.Info) (bool, error) {
 	}
 
 	if major <= 1 && minor < 19 {
-		return false, fmt.Errorf(fmt.Sprintf("The current version of Kubernetes is v%d.%d", major, minor))
+		return false, fmt.Errorf("the current version of Kubernetes is v%d.%d", major, minor)
 	}
 	return true, nil
 }

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -31,8 +31,11 @@ var (
 	// ServerVersion cache APIServer version information
 	ServerVersion = &version.Info{}
 
+	// appArmorGA is true if the APIServer version is 1.30 and above
+	AppArmorGA = false
+
 	// Namespace is the vArmor namespace
-	Namespace = GetNamespace()
+	Namespace = getNamespace()
 
 	// ManagerName is the deployment name of vArmor manager
 	ManagerName = "varmor-manager"
@@ -153,7 +156,7 @@ func createClientConfig(kubeconfig string, log logr.Logger) (*rest.Config, error
 	return clientcmd.BuildConfigFromFlags("", kubeconfig)
 }
 
-func GetNamespace() string {
+func getNamespace() string {
 	content, err := os.ReadFile("/run/secrets/kubernetes.io/serviceaccount/namespace")
 	if err != nil {
 		return "varmor"

diff --git a/internal/utils/utils.go b/internal/utils/utils.go
@@ -23,6 +23,8 @@ import (
 	"math/rand"
 	"net/http"
 	"os"
+	"strconv"
+	"strings"
 	"sync/atomic"
 	"time"
 
@@ -31,6 +33,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	types "k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/version"
 	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 
 	varmorconfig "github.com/bytedance/vArmor/internal/config"
@@ -272,3 +275,20 @@ func GinLogger() gin.HandlerFunc {
 		return ""
 	})
 }
+
+func IsAppArmorGA(versionInfo *version.Info) (bool, error) {
+	major, err := strconv.Atoi(versionInfo.Major)
+	if err != nil {
+		return false, err
+	}
+
+	minor, err := strconv.Atoi(strings.TrimRight(versionInfo.Minor, "+"))
+	if err != nil {
+		return false, err
+	}
+
+	if major <= 1 && minor < 30 {
+		return false, nil
+	}
+	return true, nil
+}