Add extra field to Abstract AppArmorProfile spec

api/apparmorprofile/v1alpha1/apparmorprofile_types.go

@@ -82,6 +82,8 @@ type AppArmorAbstract struct {
 	Network *AppArmorNetworkRules `json:"network,omitempty"`
 	// Capability rules for Linux capabilities.
 	Capability *AppArmorCapabilityRules `json:"capability,omitempty"`
+	// Extra rules for other config.
+	Extra string `json:"extra,omitempty"`
 }
 
 // AppArmorProfileSpec defines the desired state of AppArmorProfile.

deploy/base-crds/crds/apparmorprofile.yaml

@@ -72,6 +72,9 @@ spec:
                           type: string
                         type: array
                     type: object
+                  extra:
+                    description: Extra rules for other config.
+                    type: string
                   filesystem:
                     description: Filesystem rules for filesystem access.
                     properties:

deploy/base/role.yaml

@@ -326,92 +326,3 @@ rules:
   - securitycontextconstraints
   verbs:
   - use
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: spo-webhook
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - security-profiles-operator.x-k8s.io
-  resources:
-  - profilebindings
-  - profilerecordings
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - security-profiles-operator.x-k8s.io
-  resources:
-  - profilebindings/finalizers
-  - profilerecordings/finalizers
-  verbs:
-  - delete
-  - get
-  - patch
-  - update
-- apiGroups:
-  - security-profiles-operator.x-k8s.io
-  resources:
-  - profilebindings/status
-  - profilerecordings/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - security-profiles-operator.x-k8s.io
-  resources:
-  - seccompprofiles
-  - selinuxprofiles
-  verbs:
-  - get
-  - list
-  - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: spo-webhook
-  namespace: security-profiles-operator
-rules:
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - create
-- apiGroups:
-  - coordination.k8s.io
-  resourceNames:
-  - security-profiles-operator-webhook-lock
-  resources:
-  - leases
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - security.openshift.io
-  resources:
-  - securitycontextconstraints
-  verbs:
-  - use

deploy/helm/crds/crds.yaml

@@ -2311,6 +2311,8 @@ spec:
                           type: string
                         type: array
                     type: object
+                  extra:
+                    type: string
                   filesystem:
                     description: Filesystem rules for filesystem access.
                     properties:

deploy/namespace-operator.yaml

@@ -2311,6 +2311,8 @@ spec:
                           type: string
                         type: array
                     type: object
+                  extra:
+                    type: string
                   filesystem:
                     description: Filesystem rules for filesystem access.
                     properties:

deploy/openshift-dev.yaml

@@ -85,6 +85,8 @@ spec:
                           type: string
                         type: array
                     type: object
+                  extra:
+                    type: string
                   filesystem:
                     description: Filesystem rules for filesystem access.
                     properties:

deploy/openshift-downstream.yaml

@@ -2311,6 +2311,8 @@ spec:
                           type: string
                         type: array
                     type: object
+                  extra:
+                    type: string
                   filesystem:
                     description: Filesystem rules for filesystem access.
                     properties:

deploy/operator.yaml

@@ -2311,6 +2311,8 @@ spec:
                           type: string
                         type: array
                     type: object
+                  extra:
+                    type: string
                   filesystem:
                     description: Filesystem rules for filesystem access.
                     properties:

deploy/webhook-operator.yaml

@@ -85,6 +85,8 @@ spec:
                           type: string
                         type: array
                     type: object
+                  extra:
+                    type: string
                   filesystem:
                     description: Filesystem rules for filesystem access.
                     properties:

internal/pkg/daemon/apparmorprofile/crd2armor/crd2armor.go

@@ -80,6 +80,7 @@ profile {{.Name}} flags=({{.ProfileMode}},attach_disconnected,mediate_deleted) {
   {{end}}
 
   # Raw rules placeholder
+  {{.Abstract.Extra}}
 
   # Add default deny for known information leak/priv esc paths
   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)