airship/maas
Code Issues Proposed changes

Enable Docker default AppArmor profile to maas

Browse Source 
This adds default Apparmor profile to maas.

Change-Id: I9c68fdb2be074c855085032dfe9ff0dbbeadcf7c
This commit is contained in:
KAVVA, JAGAN MOHAN REDDY (jk330k) 2020-03-17 07:36:44 -05:00 committed by diwakar thyagaraj
parent 5af724cff0
commit b2e100f6ce
11 changed files with 45 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/maas/templates/deployment-ingress-errors.yaml
View File

@ -37,6 +37,8 @@ spec:
metadata:
labels:
{{ $labels | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "maas-ingress-errors" "containerNames" (list "maas-ingress-errors") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "ingress_errors" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}

1
charts/maas/templates/deployment-maas-ingress.yaml
View File

@ -164,6 +164,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "maas-ingress" "containerNames" (list "init" "maas-ingress-vip-init" "maas-ingress-vip" "maas-ingress") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
affinity:

2
charts/maas/templates/job-bootstrap-admin-user.yaml
View File

@ -30,6 +30,8 @@ spec:
metadata:
labels:
{{ tuple $envAll "maas" "bootstrap-admin-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "maas-bootstrap-admin-user" "containerNames" (list "init" "maas-bootstrap-admin-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure

2
charts/maas/templates/job-db-init.yaml
View File

@ -30,6 +30,8 @@ spec:
metadata:
labels:
{{ tuple $envAll "maas" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "maas-db-init" "containerNames" (list "init" "maas-db-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure

2
charts/maas/templates/job-db-sync.yaml
View File

@ -30,6 +30,8 @@ spec:
metadata:
labels:
{{ tuple $envAll "maas" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "maas-db-sync" "containerNames" (list "init" "maas-db-sync") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure

2
charts/maas/templates/job-export-api-key.yaml
View File

@ -74,6 +74,8 @@ spec:
metadata:
labels:
{{ tuple $envAll "maas" "export-api-key" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "maas-export-api-key" "containerNames" (list "init" "exporter") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure

2
charts/maas/templates/job-import.yaml
View File

@ -30,6 +30,8 @@ spec:
metadata:
labels:
{{ tuple $envAll "maas" "import-resources" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "maas-import-resources" "containerNames" (list "init" "region-import-resources") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure

2
charts/maas/templates/statefulset-maas-syslog.yaml
View File

@ -42,7 +42,7 @@ spec:
annotations:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "maas-syslog" "containerNames" (list "syslog") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
{{ dict "envAll" $envAll "podName" "maas-syslog" "containerNames" (list "init" "logrotate" "syslog") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
shareProcessNamespace: true

2
charts/maas/templates/statefulset-rack.yaml
View File

@ -48,7 +48,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "maas-rack" "containerNames" (list "maas-rack") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
{{ dict "envAll" $envAll "podName" "maas-rack" "containerNames" (list "init" "maas-rack") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
affinity:

2
charts/maas/templates/statefulset-region.yaml
View File

@ -44,7 +44,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "maas-region" "containerNames" (list "maas-region") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
{{ dict "envAll" $envAll "podName" "maas-region" "containerNames" (list "init" "maas-region") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
affinity:

32
charts/maas/values.yaml
View File

@ -288,11 +288,37 @@ pod:
mandatory_access_control:
type: apparmor
maas-rack:
maas-rack: localhost/docker-default
maas-rack: runtime/default
init: runtime/default
maas-region:
maas-region: localhost/docker-default
maas-region: runtime/default
init: runtime/default
maas-syslog:
syslog: localhost/docker-default
syslog: runtime/default
logrotate: runtime/default
init: runtime/default
maas-ingress:
maas-ingress-vip: runtime/default
maas-ingress: runtime/default
init: runtime/default
maas-ingress-vip-init: runtime/default
maas-ingress-errors:
maas-ingress-errors: runtime/default
maas-bootstrap-admin-user:
maas-bootstrap-admin-user: runtime/default
init: runtime/default
maas-db-init:
maas-db-init: runtime/default
init: runtime/default
maas-db-sync:
maas-db-sync: runtime/default
init: runtime/default
maas-export-api-key:
exporter: runtime/default
init: runtime/default
maas-import-resources:
region-import-resources: runtime/default
init: runtime/default
security_context:
maas-syslog:
pod: