Merge "Enable runtime-default Apparmor Profile to Postgresql Utility Container."

2019-12-13 21:03:49 +00:00 · 2019-12-13 21:03:49 +00:00 · d6b23767ba
commit d6b23767ba
parent 72394708c9 0e87826b63
4 changed files with 68 additions and 2 deletions
--- a/charts/postgresql-utility/templates/deployment-utility.yaml
+++ b/charts/postgresql-utility/templates/deployment-utility.yaml
@ -1,3 +1,18 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
 {{- if and .Values.manifests.deployment_utility ( and .Values.deployment.postgresql .Values.conf.features.utility) }}
 {{- $envAll := . }}

@ -51,6 +66,8 @@ spec:
      name: {{ printf "%s" $envAll.Release.Name }}
      labels:
 {{ tuple $envAll "postgresql" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "postgresql-utility" "containerNames" (list "postgresql-utility") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "postgresql" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
@ -59,7 +76,7 @@ spec:
      nodeSelector:
        {{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }}
      containers:
-        - name: {{ printf "%s" $envAll.Release.Name }}
+        - name: postgresql-utility
 {{ tuple $envAll "postgresql_utility" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.postgresql_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "postgresql" "container" "postgresql_utility" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
--- a/charts/postgresql-utility/values.yaml
+++ b/charts/postgresql-utility/values.yaml
@ -56,6 +56,10 @@ pod:
        default: preferredDuringSchedulingIgnoredDuringExecution
      topologyKey:
        default: kubernetes.io/hostname
+  mandatory_access_control:
+    type: apparmor
+    postgresql-utility:
+      postgresql-utility: runtime/default
  resources:
    enabled: false
    utility:
@ -165,7 +169,6 @@ endpoints:
    port:
      registry:
        node: 5000
-
 monitoring:
  prometheus:
    enabled: true
--- a/tools/deployment/apparmor/060-postgresql-utility.sh
+++ b/tools/deployment/apparmor/060-postgresql-utility.sh
@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Copyright 2019 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+namespace="utility"
+CURRENT_DIR="$(pwd)"
+: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
+
+mkdir charts/postgresql-utility/charts
+cp -r ${OSH_INFRA_PATH}/helm-toolkit-0.1.0.tgz  ${CURRENT_DIR}/charts/postgresql-utility/charts
+cd "${CURRENT_DIR}"/charts
+sleep 60
+
+kubectl label nodes --all openstack-helm-node-class=primary --overwrite
+helm upgrade --install postgresql-utility ./postgresql-utility --namespace=$namespace
+sleep 180
+kubectl get pods --namespace=$namespace
+
+pos_pod=$(kubectl get pods --namespace=$namespace  -o wide | grep postgresql | awk '{print $1}')
+expected_profile="docker-default (enforce)"
+profile=`kubectl -n $namespace exec $pos_pod -- cat /proc/1/attr/current`
+echo "Profile running: $profile"
+  if test "$profile" != "$expected_profile"
+  then
+    if test "$proc_name" == "pause"
+    then
+      echo "Root process (pause) can run docker-default, it's ok."
+    else
+      echo "$profile is the WRONG PROFILE!!"
+      return 1
+    fi
+  fi
--- a/zuul.d/base.yaml
+++ b/zuul.d/base.yaml
@ -123,3 +123,4 @@
         - ./tools/deployment/apparmor/030-etcdctl-utility.sh
         - ./tools/deployment/apparmor/040-mysqlclient-utility.sh
         - ./tools/deployment/apparmor/050-openstack-utility.sh
+         - ./tools/deployment/apparmor/060-postgresql-utility.sh