From d40efb38634135cde2ab62ac602e8fc1ba7a85f9 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Mon, 30 Sep 2024 16:20:07 +0300 Subject: [PATCH] qat: set AppArmorProfile and drop AppArmor annotations It's been GA since k8s 1.30 so we can enable it unconditionally starting with our 0.32 release. Signed-off-by: Mikko Ylinen --- cmd/qat_plugin/README.md | 2 -- .../deviceplugin_v1_dlbdeviceplugin.yaml | 6 ------ .../deviceplugin_v1_qatdeviceplugin.yaml | 6 ------ .../qat_plugin/base/intel-qat-plugin.yaml | 6 ++---- pkg/controllers/qat/controller.go | 13 ------------ pkg/controllers/qat/controller_test.go | 6 +++--- .../qatdeviceplugin_controller_test.go | 21 +------------------ 7 files changed, 6 insertions(+), 54 deletions(-) diff --git a/cmd/qat_plugin/README.md b/cmd/qat_plugin/README.md index 780ae4c81..db13ea013 100644 --- a/cmd/qat_plugin/README.md +++ b/cmd/qat_plugin/README.md @@ -149,8 +149,6 @@ There's also a possibility for a node specific congfiguration through passing a Existing DaemonSet annotations can be updated through CR annotations in [deviceplugin_v1_qatdeviceplugin.yaml](../../deployments/operator/samples/deviceplugin_v1_qatdeviceplugin.yaml). -By default, the operator based deployment sets AppArmor policy to `"unconfined"` but this can be overridden by setting the AppArmor annotation to a new value in the CR annotations. - For non-operator plugin deployments such annotations can be dropped with the kustomization if required. ### Verify Plugin Registration diff --git a/deployments/operator/samples/deviceplugin_v1_dlbdeviceplugin.yaml b/deployments/operator/samples/deviceplugin_v1_dlbdeviceplugin.yaml index 589c05304..1dbdf6435 100644 --- a/deployments/operator/samples/deviceplugin_v1_dlbdeviceplugin.yaml +++ b/deployments/operator/samples/deviceplugin_v1_dlbdeviceplugin.yaml @@ -2,12 +2,6 @@ apiVersion: deviceplugin.intel.com/v1 kind: DlbDevicePlugin metadata: name: dlbdeviceplugin-sample - # example apparmor annotation - # see more details here: - # - https://kubernetes.io/docs/tutorials/clusters/apparmor/#securing-a-pod - # - https://github.com/intel/intel-device-plugins-for-kubernetes/issues/381 - # annotations: - # container.apparmor.security.beta.kubernetes.io/intel-dlb-plugin: unconfined spec: image: intel/intel-dlb-plugin:0.31.0 initImage: intel/intel-dlb-initcontainer:0.31.0 diff --git a/deployments/operator/samples/deviceplugin_v1_qatdeviceplugin.yaml b/deployments/operator/samples/deviceplugin_v1_qatdeviceplugin.yaml index 82a67c1f1..032e238a2 100644 --- a/deployments/operator/samples/deviceplugin_v1_qatdeviceplugin.yaml +++ b/deployments/operator/samples/deviceplugin_v1_qatdeviceplugin.yaml @@ -2,12 +2,6 @@ apiVersion: deviceplugin.intel.com/v1 kind: QatDevicePlugin metadata: name: qatdeviceplugin-sample - # example apparmor annotation - # see more details here: - # - https://kubernetes.io/docs/tutorials/clusters/apparmor/#securing-a-pod - # - https://github.com/intel/intel-device-plugins-for-kubernetes/issues/381 - # annotations: - # container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined spec: image: intel/intel-qat-plugin:0.31.0 initImage: intel/intel-qat-initcontainer:0.31.0 diff --git a/deployments/qat_plugin/base/intel-qat-plugin.yaml b/deployments/qat_plugin/base/intel-qat-plugin.yaml index fd0075107..846dc314c 100644 --- a/deployments/qat_plugin/base/intel-qat-plugin.yaml +++ b/deployments/qat_plugin/base/intel-qat-plugin.yaml @@ -4,8 +4,6 @@ metadata: name: intel-qat-plugin labels: app: intel-qat-plugin - annotations: - container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined spec: selector: matchLabels: @@ -19,8 +17,6 @@ spec: metadata: labels: app: intel-qat-plugin - annotations: - container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined spec: automountServiceAccountToken: false containers: @@ -32,6 +28,8 @@ spec: fieldPath: spec.nodeName image: intel/intel-qat-plugin:devel securityContext: + appArmorProfile: + type: "Unconfined" seLinuxOptions: type: "container_device_plugin_t" readOnlyRootFilesystem: true diff --git a/pkg/controllers/qat/controller.go b/pkg/controllers/qat/controller.go index a267878f4..36153d86d 100644 --- a/pkg/controllers/qat/controller.go +++ b/pkg/controllers/qat/controller.go @@ -78,12 +78,8 @@ func (c *controller) Upgrade(ctx context.Context, obj client.Object) bool { func (c *controller) NewDaemonSet(rawObj client.Object) *apps.DaemonSet { devicePlugin := rawObj.(*devicepluginv1.QatDevicePlugin) - annotations := devicePlugin.ObjectMeta.DeepCopy().Annotations - daemonSet := deployments.QATPluginDaemonSet() daemonSet.Name = controllers.SuffixedName(daemonSet.Name, devicePlugin.Name) - daemonSet.Annotations = annotations - daemonSet.Spec.Template.Annotations = annotations if devicePlugin.Spec.Tolerations != nil { daemonSet.Spec.Template.Spec.Tolerations = devicePlugin.Spec.Tolerations @@ -107,15 +103,6 @@ func (c *controller) NewDaemonSet(rawObj client.Object) *apps.DaemonSet { func (c *controller) UpdateDaemonSet(rawObj client.Object, ds *apps.DaemonSet) (updated bool) { dp := rawObj.(*devicepluginv1.QatDevicePlugin) - // Update only existing daemonset annotations - for k, v := range ds.ObjectMeta.Annotations { - if v2, ok := dp.ObjectMeta.Annotations[k]; ok && v2 != v { - ds.ObjectMeta.Annotations[k] = v2 - ds.Spec.Template.Annotations[k] = v2 - updated = true - } - } - if ds.Spec.Template.Spec.Containers[0].Image != dp.Spec.Image { ds.Spec.Template.Spec.Containers[0].Image = dp.Spec.Image updated = true diff --git a/pkg/controllers/qat/controller_test.go b/pkg/controllers/qat/controller_test.go index d94323402..be23a9bd1 100644 --- a/pkg/controllers/qat/controller_test.go +++ b/pkg/controllers/qat/controller_test.go @@ -39,7 +39,6 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet devicePlugin := rawObj.(*devicepluginv1.QatDevicePlugin) yes := true no := false - pluginAnnotations := devicePlugin.ObjectMeta.DeepCopy().Annotations maxUnavailable := intstr.FromInt(1) maxSurge := intstr.FromInt(0) @@ -54,7 +53,6 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet Labels: map[string]string{ "app": appLabel, }, - Annotations: pluginAnnotations, }, Spec: apps.DaemonSetSpec{ Selector: &metav1.LabelSelector{ @@ -74,7 +72,6 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet Labels: map[string]string{ "app": appLabel, }, - Annotations: pluginAnnotations, }, Spec: v1.PodSpec{ AutomountServiceAccountToken: &no, @@ -95,6 +92,9 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet Image: devicePlugin.Spec.Image, ImagePullPolicy: "IfNotPresent", SecurityContext: &v1.SecurityContext{ + AppArmorProfile: &v1.AppArmorProfile{ + Type: "Unconfined", + }, SELinuxOptions: &v1.SELinuxOptions{ Type: "container_device_plugin_t", }, diff --git a/test/envtest/qatdeviceplugin_controller_test.go b/test/envtest/qatdeviceplugin_controller_test.go index e6076b44c..1b58095ed 100644 --- a/test/envtest/qatdeviceplugin_controller_test.go +++ b/test/envtest/qatdeviceplugin_controller_test.go @@ -46,14 +46,9 @@ var _ = Describe("QatDevicePlugin Controller", func() { Name: "qatdeviceplugin-test", } - annotations := map[string]string{ - "container.apparmor.security.beta.kubernetes.io/intel-qat-plugin": "unconfined", - } - toCreate := &devicepluginv1.QatDevicePlugin{ ObjectMeta: metav1.ObjectMeta{ - Name: key.Name, - Annotations: annotations, + Name: key.Name, }, Spec: spec, } @@ -80,20 +75,6 @@ var _ = Describe("QatDevicePlugin Controller", func() { Expect(ds.Spec.Template.Spec.NodeSelector).To(Equal(spec.NodeSelector)) Expect(ds.Spec.Template.Spec.Tolerations).To(HaveLen(0)) - By("copy annotations successfully") - Expect(&(fetched.Annotations) == &annotations).ShouldNot(BeTrue()) - Eventually(fetched.Annotations).Should(Equal(annotations)) - - By("updating annotations successfully") - updatedAnnotations := map[string]string{"key": "value"} - fetched.Annotations = updatedAnnotations - Expect(k8sClient.Update(context.Background(), fetched)).Should(Succeed()) - updated := &devicepluginv1.QatDevicePlugin{} - Eventually(func() map[string]string { - _ = k8sClient.Get(context.Background(), key, updated) - return updated.Annotations - }, timeout, interval).Should(Equal(updatedAnnotations)) - By("updating QatDevicePlugin successfully") updatedImage := "updated-qat-testimage" updatedInitImage := "updated-qat-testinitimage"