Merge pull request #1915 from daemon1024/apparmor-cleanup-graceful

feat(apparmor/host): cleanup profiles on gracefult termination
kubearmor · Dec 19, 2024 · c472718 · c472718
2 parents dc0bb33 + 98bc591
commit c472718
Showing 1 changed file with 20 additions and 15 deletions.
diff --git a/KubeArmor/enforcer/appArmorEnforcer.go b/KubeArmor/enforcer/appArmorEnforcer.go
@@ -440,32 +440,37 @@ func (ae *AppArmorEnforcer) UnregisterAppArmorHostProfile() bool {
 		return true
 	}
 
+	ae.Logger.Printf("Unregistering the KubeArmor host profile from %s", cfg.GlobalCfg.Host)
+
 	ae.AppArmorProfilesLock.Lock()
 	defer ae.AppArmorProfilesLock.Unlock()
 
-	if err := ae.CreateAppArmorHostProfile(); err != nil {
-		ae.Logger.Warnf("Unable to reset the KubeArmor host profile in %s", cfg.GlobalCfg.Host)
+	if err := kl.RunCommandAndWaitWithErr("aa-remove-unknown", []string{}); err != nil {
+		ae.Logger.Warnf("Unable to cleanup the KubeArmor host profile in %s", cfg.GlobalCfg.Host)
 
-		if err := os.Remove(appArmorHostFile); err != nil {
-			ae.Logger.Warnf("Unable to remove the KubeArmor host profile from %s (%s)", cfg.GlobalCfg.Host, err.Error())
+		if err := ae.CreateAppArmorHostProfile(); err != nil {
+			ae.Logger.Warnf("Unable to reset the KubeArmor host profile in %s", cfg.GlobalCfg.Host)
+
+			if err := os.Remove(appArmorHostFile); err != nil {
+				ae.Logger.Warnf("Unable to remove the KubeArmor host profile from %s (%s)", cfg.GlobalCfg.Host, err.Error())
+			}
+
+			return false
 		}
 
-		return false
-	}
+		if err := kl.RunCommandAndWaitWithErr("apparmor_parser", []string{"-r", "-W", "-C", appArmorHostFile}); err != nil {
+			ae.Logger.Warnf("Unable to reset the KubeArmor host profile in %s", cfg.GlobalCfg.Host)
 
-	if err := kl.RunCommandAndWaitWithErr("apparmor_parser", []string{"-r", "-W", "-C", appArmorHostFile}); err != nil {
-		ae.Logger.Warnf("Unable to reset the KubeArmor host profile in %s", cfg.GlobalCfg.Host)
+			if err := os.Remove(appArmorHostFile); err != nil {
+				ae.Logger.Warnf("Unable to remove the KubeArmor host profile from %s (%s)", cfg.GlobalCfg.Host, err.Error())
+			}
+
+		}
 
 		if err := os.Remove(appArmorHostFile); err != nil {
 			ae.Logger.Warnf("Unable to remove the KubeArmor host profile from %s (%s)", cfg.GlobalCfg.Host, err.Error())
+			return false
 		}
-
-		return false
-	}
-
-	if err := os.Remove(appArmorHostFile); err != nil {
-		ae.Logger.Warnf("Unable to remove the KubeArmor host profile from %s (%s)", cfg.GlobalCfg.Host, err.Error())
-		return false
 	}
 
 	ae.Logger.Printf("Unregistered the KubeArmor host profile from %s", cfg.GlobalCfg.Host)