Enable Apparmor for ElasticSearch

Change-Id: Ie7dc4399be4f0a62576e336c1de02810eeb09212
This commit is contained in:
dt241s@att.com 2020-03-05 22:01:03 +00:00 committed by diwakar thyagaraj
parent d59b6e5944
commit 1871b830af
6 changed files with 58 additions and 11 deletions

View File

@ -34,6 +34,8 @@ spec:
metadata:
labels:
{{ tuple $envAll "elasticsearch" "es_cluster_wait" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "elastic-cluster-wait" "containerNames" (list "elasticsearch-cluster-wait" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "es_cluster_wait" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}

View File

@ -35,6 +35,8 @@ spec:
metadata:
labels:
{{ tuple $envAll "elasticsearch" "snapshot-repository" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "elasticsearch-register-snapshot-repository" "containerNames" (list "register-snapshot-repository" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "snapshot_repository" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}

View File

@ -40,6 +40,7 @@ spec:
{{ tuple $envAll "prometheus-elasticsearch-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "prometheus-elasticsearch-exporter" "containerNames" (list "elasticsearch-exporter" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}

View File

@ -136,14 +136,6 @@ pod:
client: null
data: null
master: null
mandatory_access_control:
type: apparmor
elasticsearch-master:
elasticsearch-master: runtime/default
elasticsearch-data:
elasticsearch-data: runtime/default
elasticsearch-client:
elasticsearch-client: runtime/default
security_context:
exporter:
pod:

View File

@ -0,0 +1,22 @@
pod:
env:
client: null
data: null
master: null
mandatory_access_control:
type: apparmor
elastic-cluster-wait:
elasticsearch-cluster-wait: runtime/default
init: runtime/default
elasticsearch-register-snapshot-repository:
register-snapshot-repository: runtime/default
init: runtime/default
elasticsearch-master:
elasticsearch-master: runtime/default
elasticsearch-data:
elasticsearch-data: runtime/default
elasticsearch-client:
elasticsearch-client: runtime/default
prometheus-elasticsearch-exporter:
elasticsearch-exporter: runtime/default
init: runtime/default

View File

@ -258,7 +258,7 @@
- job:
name: openstack-helm-infra-apparmor
parent: openstack-helm-infra-functional
timeout: 7200
timeout: 9600
pre-run: playbooks/osh-infra-upgrade-host.yaml
run: playbooks/osh-infra-gate-runner.yaml
post-run: playbooks/osh-infra-collect-logs.yaml
@ -285,10 +285,38 @@
- ./tools/deployment/apparmor/080-grafana.sh
- ./tools/deployment/apparmor/085-rabbitmq.sh
- ./tools/deployment/apparmor/095-nagios.sh
- ./tools/deployment/apparmor/100-fluentbit.sh
- ./tools/deployment/apparmor/110-fluentd-daemonset.sh
- ./tools/deployment/apparmor/120-openvswitch.sh
- ./tools/deployment/apparmor/130-postgresql.sh
- job:
name: openstack-helm-infra-aio-logging-apparmor
parent: openstack-helm-infra-functional
timeout: 7200
pre-run:
- playbooks/osh-infra-upgrade-host.yaml
- playbooks/osh-infra-deploy-selenium.yaml
run: playbooks/osh-infra-gate-runner.yaml
post-run: playbooks/osh-infra-collect-logs.yaml
nodeset: openstack-helm-single-node
vars:
osh_params:
container_distro_name: ubuntu
container_distro_version: bionic
feature_gates: apparmor
gate_scripts:
- ./tools/deployment/osh-infra-logging/000-install-packages.sh
- ./tools/deployment/osh-infra-logging/005-deploy-k8s.sh
- ./tools/deployment/osh-infra-logging/010-ingress.sh
- ./tools/deployment/osh-infra-logging/020-ceph.sh
- ./tools/deployment/osh-infra-logging/025-ceph-ns-activate.sh
- ./tools/deployment/osh-infra-logging/030-radosgw-osh-infra.sh
- ./tools/deployment/osh-infra-logging/040-ldap.sh
- ./tools/deployment/osh-infra-logging/050-elasticsearch.sh
- ./tools/deployment/osh-infra-logging/060-fluentd-daemonset.sh
- ./tools/deployment/osh-infra-logging/065-fluentd-deployment.sh
- ./tools/deployment/osh-infra-logging/070-kibana.sh
- ./tools/deployment/osh-infra-logging/600-kibana-selenium.sh || true
- job:
name: openstack-helm-infra-aio-logging-apparmor