Fix apparmor policy configuration in Daemonset and minor bug fixes

minio · Jan 24, 2023 · cff4e0d · cff4e0d
1 parent 7532f5f
commit cff4e0d
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 9 deletions.
diff --git a/apparmor.profile b/apparmor.profile
@@ -15,7 +15,6 @@ profile directpv flags=(attach_disconnected,mediate_deleted) {
 
   deny /bin/** wl,
   deny /boot/** wl,
-  deny /dev/** wl,
   deny /etc/** wl,
   deny /home/** wl,
   deny /lib/** wl,
@@ -27,9 +26,7 @@ profile directpv flags=(attach_disconnected,mediate_deleted) {
   deny /root/** wl,
   deny /sbin/** wl,
   deny /srv/** wl,
-  deny /tmp/** wl,
   deny /sys/** wl,
-  deny /dev/** wl,
   deny /run/udev/data/** wl,
   # deny /usr/** wl,
 
@@ -82,4 +79,4 @@ profile directpv flags=(attach_disconnected,mediate_deleted) {
   deny /sys/fs/cg[^r]*/** wklx,
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
-}
+}
diff --git a/cmd/kubectl-directpv/discover.go b/cmd/kubectl-directpv/discover.go
@@ -245,7 +245,7 @@ func discoverDevices(ctx context.Context, nodes []types.Node) (devices map[direc
 				return
 			}
 			switch event.Type {
-			case watch.Modified:
+			case watch.Modified, watch.Added:
 				node := event.Node
 				if !node.Spec.Refresh {
 					devices[directpvtypes.NodeID(node.Name)] = node.GetDevicesByNames(drivesArgs)
@@ -258,7 +258,7 @@ func discoverDevices(ctx context.Context, nodes []types.Node) (devices map[direc
 			default:
 			}
 		case <-ctx.Done():
-			err = fmt.Errorf("unable to discover devices; %v", ctx.Err())
+			utils.Eprintf(quietFlag, true, "unable to complete the discovery; %v\n", ctx.Err())
 			return
 		}
 	}

diff --git a/cmd/kubectl-directpv/init.go b/cmd/kubectl-directpv/init.go
@@ -196,7 +196,7 @@ func initDevices(ctx context.Context, initRequests []types.InitRequest, requestI
 				return
 			}
 			switch event.Type {
-			case watch.Modified:
+			case watch.Modified, watch.Added:
 				initReq := event.InitRequest
 				if initReq.Status.Status != directpvtypes.InitStatusPending {
 					results = append(results, initResult{

diff --git a/pkg/device/sysfs_linux.go b/pkg/device/sysfs_linux.go
@@ -100,7 +100,7 @@ func getPartitions(name string) ([]string, error) {
 }
 
 func getHolders(name string) ([]string, error) {
-	return readdirnames("/sys/block/"+name+"/holders", false)
+	return readdirnames("/sys/class/block/"+name+"/holders", false)
 }
 
 func getDMName(name string) (string, error) {

diff --git a/pkg/installer/daemonset.go b/pkg/installer/daemonset.go
@@ -202,7 +202,10 @@ func livenessProbeContainer(image string) corev1.Container {
 func newDaemonset(podSpec corev1.PodSpec, name, appArmorProfile string) *appsv1.DaemonSet {
 	annotations := map[string]string{createdByLabel: pluginName}
 	if appArmorProfile != "" {
-		annotations["container.apparmor.security.beta.kubernetes.io/"+consts.AppName] = appArmorProfile
+		// AppArmor profiles need to be specified per-container
+		for _, container := range podSpec.Containers {
+			annotations["container.apparmor.security.beta.kubernetes.io/"+container.Name] = "localhost/" + appArmorProfile
+		}
 	}
 	selectorValue := fmt.Sprintf("%v-%v", consts.Identity, getRandSuffix())