Merge pull request #1591 from ozhuraki/qat-apparmor

qat: Add AppArmor unconfided anntotation configurability in the operator

Author: mythi

cmd/qat_plugin/README.md

@@ -148,6 +148,11 @@ When using the operator for deploying the plugin with provisioning config, use `
 
 There's also a possibility for a node specific congfiguration through passing a nodename via `NODE_NAME` into initcontainer's environment and passing a node specific profile (`qat-$NODE_NAME.conf`) via ConfigMap volume mount.
 
+Existing DaemonSet annotations can be updated through CR annotations in [deviceplugin_v1_qatdeviceplugin.yaml](../../deployments/operator/samples/deviceplugin_v1_qatdeviceplugin.yaml).
+
+By default, the operator based deployment sets AppArmor policy to `"unconfined"` but this can be overridden by setting the AppArmor annotation to a new value in the CR annotations.
+
+For non-operator plugin deployments such annotations can be dropped with the kustomization if required.
 
 ### Verify Plugin Registration
 

deployments/qat_plugin/base/intel-qat-plugin.yaml

@@ -4,6 +4,8 @@ metadata:
   name: intel-qat-plugin
   labels:
     app: intel-qat-plugin
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined
 spec:
   selector:
     matchLabels:
@@ -12,6 +14,8 @@ spec:
     metadata:
       labels:
         app: intel-qat-plugin
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined
     spec:
       automountServiceAccountToken: false
       containers:

deployments/qat_plugin/overlays/apparmor_unconfined/kustomization.yaml

@@ -1,6 +1,4 @@
 nameSuffix: -e2e
-commonAnnotations:
-  container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined
 
 resources:
 - ../qat_initcontainer

deployments/qat_plugin/overlays/e2e/kustomization.yaml

@@ -103,16 +103,13 @@ func (c *controller) NewDaemonSet(rawObj client.Object) *apps.DaemonSet {
 func (c *controller) UpdateDaemonSet(rawObj client.Object, ds *apps.DaemonSet) (updated bool) {
 	dp := rawObj.(*devicepluginv1.QatDevicePlugin)
 
-	// Remove always incrementing annotation so it doesn't cause the next DeepEqual
-	// to return false every time.
-	dsAnnotations := ds.ObjectMeta.DeepCopy().Annotations
-	delete(dsAnnotations, "deprecated.daemonset.template.generation")
-
-	if !reflect.DeepEqual(dsAnnotations, dp.ObjectMeta.Annotations) {
-		pluginAnnotations := dp.ObjectMeta.DeepCopy().Annotations
-		ds.ObjectMeta.Annotations = pluginAnnotations
-		ds.Spec.Template.Annotations = pluginAnnotations
-		updated = true
+	// Update only existing daemonset annotations
+	for k, v := range ds.ObjectMeta.Annotations {
+		if v2, ok := dp.ObjectMeta.Annotations[k]; ok && v2 != v {
+			ds.ObjectMeta.Annotations[k] = v2
+			ds.Spec.Template.Annotations[k] = v2
+			updated = true
+		}
 	}
 
 	if ds.Spec.Template.Spec.Containers[0].Image != dp.Spec.Image {

pkg/controllers/qat/controller.go

@@ -164,9 +164,16 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 func TestNewDaemonSetQAT(t *testing.T) {
 	c := &controller{}
 
-	plugin := &devicepluginv1.QatDevicePlugin{}
+	plugin := &devicepluginv1.QatDevicePlugin{
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				"container.apparmor.security.beta.kubernetes.io/intel-qat-plugin": "runtime/default",
+			},
+		},
+	}
 	plugin.Name = "testing"
 	plugin.Spec.InitImage = "intel/intel-qat-initcontainer:" + controllers.ImageMinVersion.String()
+
 	expected := c.newDaemonSetExpected(plugin)
 	actual := c.NewDaemonSet(plugin)