Enable runtime-default Apparmor Profile to Openstack-Utility Container.

This PS also adds Gate jobs to check docker default
apparmor for utility Containers.

Change-Id: I32fbf16291a4f4df06d0cc23c8235de0420a044a

charts/openstack-utility/templates/deployment-utility.yaml

@@ -67,6 +67,8 @@ spec:
         {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
       labels:
 {{ tuple $envAll "openstack" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "openstack-utility" "containerNames" (list "openstack-utility") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "openstack" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
@@ -75,7 +77,7 @@ spec:
       nodeSelector:
         {{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }}
       containers:
-        - name: {{ printf "%s" $envAll.Release.Name }}
+        - name: openstack-utility
 {{ tuple $envAll "openstack_utility" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.openstack_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "openstack" "container" "openstack_utility" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}

charts/openstack-utility/values.yaml

@@ -34,6 +34,10 @@ pod:
         openstack_utility:
           allowPrivilegeEscalation: true
           readOnlyRootFilesystem: false
+  mandatory_access_control:
+    type: apparmor
+    openstack-utility:
+      openstack-utility: runtime/default
   dns_policy: "ClusterFirstWithHostNet"
   replicas:
     utility: 1

tools/deployment/apparmor/000-install-packages.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+set -xe
+
+CURRENT_DIR="$(pwd)"
+: "${INSTALL_PATH:="../"}"
+: "${OSH_INFRA_COMMIT:="8ba46703ee9fab0115e4b7f62ea43e0798c36872"}"
+: "${CLONE_ARMADA:=true}"
+: "${CLONE_DECKHAND:=true}"
+: "${CLONE_SHIPYARD:=true}"
+
+cd ${INSTALL_PATH}
+
+# Clone Airship projects
+if [[ ${CLONE_ARMADA} = true ]] ; then
+    git clone https://opendev.org/airship/armada.git
+fi
+if [[ ${CLONE_DECKHAND} = true ]] ; then
+    git clone https://opendev.org/airship/deckhand.git
+fi
+if [[ ${CLONE_SHIPYARD} = true ]] ; then
+    git clone https://opendev.org/airship/shipyard.git
+fi
+
+# Clone dependencies
+git clone https://opendev.org/openstack/openstack-helm-infra.git
+
+cd openstack-helm-infra
+git checkout "${OSH_INFRA_COMMIT}"

tools/deployment/apparmor/001-setup-apparmor-profiles.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -xe
+CURRENT_DIR="$(pwd)"
+: "${OSH_INFRA_PATH:="../openstack-helm-infra"}"
+
+cd "${OSH_INFRA_PATH}"
+bash -c "./tools/deployment/common/001-setup-apparmor-profiles.sh"

tools/deployment/apparmor/002-deploy-k8s.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+CURRENT_DIR="$(pwd)"
+: "${OSH_INFRA_PATH:="../openstack-helm-infra"}"
+
+cd "${OSH_INFRA_PATH}"
+bash -c "./tools/deployment/common/005-deploy-k8s.sh"

tools/deployment/apparmor/050-openstack-utility.sh

@@ -0,0 +1,84 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+kubectl label nodes --all openstack-helm-node-class=primary --overwrite
+namespace="utility"
+
+cd /tmp
+git clone https://git.openstack.org/openstack/openstack-helm-infra.git || true
+cd openstack-helm-infra
+git reset --hard 200b5e902b3a176fbfbe669b6a10a254c9b50f5d
+make helm-toolkit
+
+cd /home/zuul/src/opendev.org/airship/porthole/charts/openstack-utility/
+mkdir charts
+cp -r /tmp/openstack-helm-infra/helm-toolkit-0.1.0.tgz /home/zuul/src/opendev.org/airship/porthole/charts/openstack-utility/charts
+cd /home/zuul/src/opendev.org/airship/porthole/charts
+
+kubectl get pods --all-namespaces
+sleep 120
+
+helm upgrade --install openstack-utility ./openstack-utility --namespace=$namespace \
+# NOTE: Validate Deployment and User.
+
+sleep 180
+kubectl get pods --namespace=$namespace | grep openstack-utility
+ouc_pod=$(kubectl get pods --namespace=$namespace --selector="application=openstack" --no-headers | awk '{ print $1; exit }')
+unsorted_process_file="/tmp/unsorted_proc_list"
+sorted_process_file="/tmp/proc_list"
+expected_profile="docker-default (enforce)"
+kubectl describe pod $ouc_pod -n utility
+
+#Below can be used for multiple Processes.Grab the processes (numbered directories) from the /proc directory,
+# and then sort them. Highest proc number indicates most recent process.
+#kubectl -n $namespace exec $ouc_pod -- ls -1 /proc | grep -e "^[0-9]*$" > $unsorted_process_file
+#sort --numeric-sort $unsorted_process_file > $sorted_process_file
+
+# The last/latest process in the list will actually be the "ls" command above,
+# which isn't running any more, so remove it.
+#sed -i '$ d' $sorted_process_file
+
+#while IFS='' read -r process || [[ -n "$process" ]]; do
+  #echo "Process ID: $process"
+  #proc_name=`kubectl -n $namespace exec $ouc_pod -- cat /proc/$process/status | grep "Name:" | awk -F' ' '{print $2}'`
+  #echo "Process Name: $proc_name"
+#  profile=`kubectl -n $namespace exec $ouc_pod -- cat /proc/1/attr/current`
+#  echo "Profile running: $profile"
+#  if test "$profile" != "$expected_profile"
+#  then
+#    if test "$proc_name" == "pause"
+#    then
+#      echo "Root process (pause) can run docker-default, it's ok."
+#    else
+#      echo "$profile is the WRONG PROFILE!!"
+#      return 1
+#    fi
+#  fi
+#done < $sorted_process_file
+
+profile=`kubectl -n $namespace exec $ouc_pod -- cat /proc/1/attr/current`
+echo "Profile running: $profile"
+  if test "$profile" != "$expected_profile"
+  then
+    if test "$proc_name" == "pause"
+    then
+      echo "Root process (pause) can run docker-default, it's ok."
+    else
+      echo "$profile is the WRONG PROFILE!!"
+      return 1
+    fi
+  fi

tools/gate/playbooks/airship-porthole-gate-runner.yaml

@@ -0,0 +1,22 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- hosts: primary
+  tasks:
+    - name: Run gate scripts
+      include_role:
+        name: osh-run-script
+      vars:
+        gate_script_path: "{{ item }}"
+      with_items: "{{ gate_scripts }}"

tools/gate/playbooks/roles/osh-run-script/defaults/main.yaml

@@ -0,0 +1,17 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+osh_params:
+  openstack_release: newton
+  container_distro_name: ubuntu
+  container_distro_version: bionic
+  #feature_gates:

tools/gate/playbooks/roles/osh-run-script/tasks/main.yaml

@@ -0,0 +1,27 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: "Run script {{ gate_script_path }}"
+  shell: |
+    set -xe;
+    {{ gate_script_path }}
+  args:
+    chdir: "{{ zuul.project.src_dir }}"
+  environment:
+    zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
+    OSH_EXTRA_HELM_ARGS: "{{ zuul_osh_extra_helm_args_relative_path | default('') }}"
+    OSH_PATH: "{{ zuul_osh_relative_path | default('../openstack-helm/') }}"
+    OSH_INFRA_PATH: "{{ zuul_osh_infra_relative_path | default('../openstack-helm-infra/') }}"
+    OPENSTACK_RELEASE: "{{ osh_params.openstack_release }}"
+    CONTAINER_DISTRO_NAME: "{{ osh_params.container_distro_name }}"
+    CONTAINER_DISTRO_VERSION: "{{ osh_params.container_distro_version }}"
+    FEATURE_GATES: "{{ osh_params.feature_gates | default('') }}"

zuul.d/base.yaml

@@ -11,6 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+#
 
 - project:
     check:
@@ -23,6 +24,8 @@
         - airship-porthole-images-build-gate-mysqlclient-utility
         - airship-porthole-images-build-gate-openstack-utility
         - airship-porthole-images-build-gate-postgresql-utility
+        - airship-porthole-apparmor
+
     gate:
       jobs:
         - airship-porthole-linter
@@ -33,6 +36,7 @@
         - airship-porthole-images-build-gate-mysqlclient-utility
         - airship-porthole-images-build-gate-openstack-utility
         - airship-porthole-images-build-gate-postgresql-utility
+        - airship-porthole-apparmor
 
     post:
       jobs:
@@ -43,12 +47,12 @@
         - airship-porthole-images-publish-mysqlclient-utility
         - airship-porthole-images-publish-openstack-utility
         - airship-porthole-images-publish-postgresql-utility
-
+        - airship-porthole-apparmor
 - nodeset:
     name: airship-porthole-single-node
     nodes:
       - name: primary
-        label: ubuntu-xenial
+        label: ubuntu-bionic
 
 - job:
     name: airship-porthole-images
@@ -99,3 +103,16 @@
           JXcwlGoK6kvXmYaG2c7yEiH2xNtTzVTai10fsalubQWR4FTmJA5LU9+HatHBa46XLy4gS
           vMHs2uJudmxhqLIhs5Er248FVjfxw7le5dPun3ir4J7Mjgypu5y8eLCMZAFIwpeqlJrVU
           uih8ByaTlSEh6FBzle7Hb330RjSztC4pX6xiNAmtkpxhF2rEEFS66B/ixwCphQ=
+
+- job:
+    name: airship-porthole-apparmor
+    description: Checks Pods for Apparmor profile
+    timeout: 7200
+    run: tools/gate/playbooks/airship-porthole-gate-runner.yaml
+    nodeset: airship-porthole-single-node
+    vars:
+      gate_scripts:
+         - ./tools/deployment/apparmor/000-install-packages.sh
+         - ./tools/deployment/apparmor/001-setup-apparmor-profiles.sh
+         - ./tools/deployment/apparmor/002-deploy-k8s.sh
+         - ./tools/deployment/apparmor/050-openstack-utility.sh