diff --git a/internal/behavior/preprocessor/apparmor.go b/internal/behavior/preprocessor/apparmor.go index dde1067..c55ad7a 100644 --- a/internal/behavior/preprocessor/apparmor.go +++ b/internal/behavior/preprocessor/apparmor.go @@ -136,7 +136,7 @@ func (p *DataPreprocessor) converProfileToParents(profile string) string { return profile } -// Returns the operation type if known, unkown otherwise. +// Returns the operation type if known, unknown otherwise. func (p *DataPreprocessor) opType(event *varmortypes.AaLogRecord) string { if strings.HasPrefix(event.Operation, "file_") || strings.HasPrefix(event.Operation, "inode_") || diff --git a/internal/config/config.go b/internal/config/config.go index 32dd981..e895834 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -117,7 +117,7 @@ var ( // WebhookSelectorLabel is used for matching the admission requests WebhookSelectorLabel = map[string]string{} - // OmuxSocketPath is used for recieving the audit logs of AppArmor from rsyslog + // OmuxSocketPath is used for receiving the audit logs of AppArmor from rsyslog OmuxSocketPath = "/var/run/varmor/audit/omuxsock.sock" ) diff --git a/internal/policy/clusterpolicy_controller.go b/internal/policy/clusterpolicy_controller.go index 1e7521d..9ded316 100644 --- a/internal/policy/clusterpolicy_controller.go +++ b/internal/policy/clusterpolicy_controller.go @@ -499,6 +499,15 @@ func (c *ClusterPolicyController) handleUpdateVarmorClusterPolicy(newVp *varmor. logger.Info("2.3. update ArmorProfile") oldAp.Spec = *newApSpec + forceSetOwnerReference(oldAp, newVp, true) + _, err = c.varmorInterface.ArmorProfiles(oldAp.Namespace).Update(context.Background(), oldAp, metav1.UpdateOptions{}) + if err != nil { + logger.Error(err, "ArmorProfile().Update()") + return err + } + } else if len(oldAp.OwnerReferences) == 0 { + // Forward compatibility, add an ownerReference to the existing ArmorProfile object + forceSetOwnerReference(oldAp, newVp, true) _, err = c.varmorInterface.ArmorProfiles(oldAp.Namespace).Update(context.Background(), oldAp, metav1.UpdateOptions{}) if err != nil { logger.Error(err, "ArmorProfile().Update()") diff --git a/internal/policy/policy_controller.go b/internal/policy/policy_controller.go index 57e6a42..2b4bebb 100644 --- a/internal/policy/policy_controller.go +++ b/internal/policy/policy_controller.go @@ -523,7 +523,16 @@ func (c *PolicyController) handleUpdateVarmorPolicy(newVp *varmor.VarmorPolicy, logger.Info("2.3. update ArmorProfile") oldAp.Spec = *newApSpec - _, err = c.varmorInterface.ArmorProfiles(newVp.Namespace).Update(context.Background(), oldAp, metav1.UpdateOptions{}) + forceSetOwnerReference(oldAp, newVp, false) + _, err = c.varmorInterface.ArmorProfiles(oldAp.Namespace).Update(context.Background(), oldAp, metav1.UpdateOptions{}) + if err != nil { + logger.Error(err, "ArmorProfile().Update()") + return err + } + } else if len(oldAp.OwnerReferences) == 0 { + // Forward compatibility, add an ownerReference to the existing ArmorProfile object + forceSetOwnerReference(oldAp, newVp, false) + _, err = c.varmorInterface.ArmorProfiles(oldAp.Namespace).Update(context.Background(), oldAp, metav1.UpdateOptions{}) if err != nil { logger.Error(err, "ArmorProfile().Update()") return err diff --git a/internal/policy/update.go b/internal/policy/update.go index f4a3c16..4fdae97 100644 --- a/internal/policy/update.go +++ b/internal/policy/update.go @@ -507,3 +507,30 @@ func updateWorkloadAnnotationsAndEnv( } } } + +func forceSetOwnerReference(ap *varmor.ArmorProfile, obj interface{}, clusterScope bool) { + controller := true + if clusterScope { + vcp := obj.(*varmor.VarmorClusterPolicy) + ap.OwnerReferences = []metav1.OwnerReference{ + { + APIVersion: "crd.varmor.org/v1beta1", + Kind: "VarmorClusterPolicy", + Name: vcp.Name, + UID: vcp.UID, + Controller: &controller, + }, + } + } else { + vp := obj.(*varmor.VarmorPolicy) + ap.OwnerReferences = []metav1.OwnerReference{ + { + APIVersion: "crd.varmor.org/v1beta1", + Kind: "VarmorPolicy", + Name: vp.Name, + UID: vp.UID, + Controller: &controller, + }, + } + } +} diff --git a/internal/status/api/v1/manager.go b/internal/status/api/v1/manager.go index 48dc511..21fdeb9 100644 --- a/internal/status/api/v1/manager.go +++ b/internal/status/api/v1/manager.go @@ -360,7 +360,7 @@ func (m *StatusManager) updateAllCRStatus(logger logr.Logger) { return } - // Get the list of nodes where the agent is running. + // Get the list of nodes where the agents are running. nodes, err := m.retrieveNodeNameList() if err != nil { logger.Error(err, "m.retrieveNodeNameList()")