Add extra

Edan-Hamilton · Edan-Hamilton · commit 3ff9cf76b1d5 · 2025-06-05T13:29:12.000+10:00
diff --git a/api/apparmorprofile/v1alpha1/apparmorprofile_types.go b/api/apparmorprofile/v1alpha1/apparmorprofile_types.go
@@ -82,6 +82,8 @@ type AppArmorAbstract struct {
 	Network *AppArmorNetworkRules `json:"network,omitempty"`
 	// Capability rules for Linux capabilities.
 	Capability *AppArmorCapabilityRules `json:"capability,omitempty"`
+	// Extra rules for other config.
+	Extra string `json:"extra,omitempty"`
 }
 
 // AppArmorProfileSpec defines the desired state of AppArmorProfile.
diff --git a/deploy/base-crds/crds/apparmorprofile.yaml b/deploy/base-crds/crds/apparmorprofile.yaml
@@ -72,6 +72,9 @@ spec:
                           type: string
                         type: array
                     type: object
+                  extra:
+                    description: Extra rules for other config.
+                    type: string
                   filesystem:
                     description: Filesystem rules for filesystem access.
                     properties:
diff --git a/deploy/base/role.yaml b/deploy/base/role.yaml
@@ -326,92 +326,3 @@ rules:
   - securitycontextconstraints
   verbs:
   - use
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: spo-webhook
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - security-profiles-operator.x-k8s.io
-  resources:
-  - profilebindings
-  - profilerecordings
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - security-profiles-operator.x-k8s.io
-  resources:
-  - profilebindings/finalizers
-  - profilerecordings/finalizers
-  verbs:
-  - delete
-  - get
-  - patch
-  - update
-- apiGroups:
-  - security-profiles-operator.x-k8s.io
-  resources:
-  - profilebindings/status
-  - profilerecordings/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - security-profiles-operator.x-k8s.io
-  resources:
-  - seccompprofiles
-  - selinuxprofiles
-  verbs:
-  - get
-  - list
-  - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: spo-webhook
-  namespace: security-profiles-operator
-rules:
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - create
-- apiGroups:
-  - coordination.k8s.io
-  resourceNames:
-  - security-profiles-operator-webhook-lock
-  resources:
-  - leases
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - security.openshift.io
-  resources:
-  - securitycontextconstraints
-  verbs:
-  - use
diff --git a/deploy/helm/crds/crds.yaml b/deploy/helm/crds/crds.yaml
@@ -2274,6 +2274,8 @@ spec:
                           type: string
                         type: array
                     type: object
+                  extra:
+                    type: string
                   filesystem:
                     description: Filesystem rules for filesystem access.
                     properties:
diff --git a/deploy/namespace-operator.yaml b/deploy/namespace-operator.yaml
@@ -2274,6 +2274,8 @@ spec:
                           type: string
                         type: array
                     type: object
+                  extra:
+                    type: string
                   filesystem:
                     description: Filesystem rules for filesystem access.
                     properties:
diff --git a/deploy/openshift-dev.yaml b/deploy/openshift-dev.yaml
@@ -85,6 +85,8 @@ spec:
                           type: string
                         type: array
                     type: object
+                  extra:
+                    type: string
                   filesystem:
                     description: Filesystem rules for filesystem access.
                     properties:
diff --git a/deploy/openshift-downstream.yaml b/deploy/openshift-downstream.yaml
@@ -2274,6 +2274,8 @@ spec:
                           type: string
                         type: array
                     type: object
+                  extra:
+                    type: string
                   filesystem:
                     description: Filesystem rules for filesystem access.
                     properties:
diff --git a/deploy/operator.yaml b/deploy/operator.yaml
@@ -2274,6 +2274,8 @@ spec:
                           type: string
                         type: array
                     type: object
+                  extra:
+                    type: string
                   filesystem:
                     description: Filesystem rules for filesystem access.
                     properties:
diff --git a/deploy/webhook-operator.yaml b/deploy/webhook-operator.yaml
@@ -85,6 +85,8 @@ spec:
                           type: string
                         type: array
                     type: object
+                  extra:
+                    type: string
                   filesystem:
                     description: Filesystem rules for filesystem access.
                     properties:
diff --git a/internal/pkg/daemon/apparmorprofile/crd2armor/crd2armor.go b/internal/pkg/daemon/apparmorprofile/crd2armor/crd2armor.go
@@ -80,6 +80,7 @@ profile {{.Name}} flags=({{.ProfileMode}},attach_disconnected,mediate_deleted) {
   {{end}}
 
   # Raw rules placeholder
+  {{.Abstract.Extra}}
 
   # Add default deny for known information leak/priv esc paths
   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)

Original file line number	Diff line number	Diff line change
`@@ -82,6 +82,8 @@ type AppArmorAbstract struct {`
`82`	`82`	Network *AppArmorNetworkRules `json:"network,omitempty"`
`83`	`83`	`// Capability rules for Linux capabilities.`
`84`	`84`	Capability *AppArmorCapabilityRules `json:"capability,omitempty"`
	`85`	`+ // Extra rules for other config.`
	`86`	+ Extra string `json:"extra,omitempty"`
`85`	`87`	`}`
`86`	`88`
`87`	`89`	`// AppArmorProfileSpec defines the desired state of AppArmorProfile.`