Enable Apparmor for ElasticSearch
Change-Id: Ie7dc4399be4f0a62576e336c1de02810eeb09212
This commit is contained in:
parent
d59b6e5944
commit
1871b830af
@ -34,6 +34,8 @@ spec:
|
||||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll "elasticsearch" "es_cluster_wait" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
annotations:
|
||||
{{ dict "envAll" $envAll "podName" "elastic-cluster-wait" "containerNames" (list "elasticsearch-cluster-wait" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "es_cluster_wait" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
|
@ -35,6 +35,8 @@ spec:
|
||||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll "elasticsearch" "snapshot-repository" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
annotations:
|
||||
{{ dict "envAll" $envAll "podName" "elasticsearch-register-snapshot-repository" "containerNames" (list "register-snapshot-repository" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "snapshot_repository" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
|
@ -40,6 +40,7 @@ spec:
|
||||
{{ tuple $envAll "prometheus-elasticsearch-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
annotations:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "podName" "prometheus-elasticsearch-exporter" "containerNames" (list "elasticsearch-exporter" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
|
@ -136,14 +136,6 @@ pod:
|
||||
client: null
|
||||
data: null
|
||||
master: null
|
||||
mandatory_access_control:
|
||||
type: apparmor
|
||||
elasticsearch-master:
|
||||
elasticsearch-master: runtime/default
|
||||
elasticsearch-data:
|
||||
elasticsearch-data: runtime/default
|
||||
elasticsearch-client:
|
||||
elasticsearch-client: runtime/default
|
||||
security_context:
|
||||
exporter:
|
||||
pod:
|
||||
|
22
elasticsearch/values_overrides/apparmor.yaml
Normal file
22
elasticsearch/values_overrides/apparmor.yaml
Normal file
@ -0,0 +1,22 @@
|
||||
pod:
|
||||
env:
|
||||
client: null
|
||||
data: null
|
||||
master: null
|
||||
mandatory_access_control:
|
||||
type: apparmor
|
||||
elastic-cluster-wait:
|
||||
elasticsearch-cluster-wait: runtime/default
|
||||
init: runtime/default
|
||||
elasticsearch-register-snapshot-repository:
|
||||
register-snapshot-repository: runtime/default
|
||||
init: runtime/default
|
||||
elasticsearch-master:
|
||||
elasticsearch-master: runtime/default
|
||||
elasticsearch-data:
|
||||
elasticsearch-data: runtime/default
|
||||
elasticsearch-client:
|
||||
elasticsearch-client: runtime/default
|
||||
prometheus-elasticsearch-exporter:
|
||||
elasticsearch-exporter: runtime/default
|
||||
init: runtime/default
|
@ -258,7 +258,7 @@
|
||||
- job:
|
||||
name: openstack-helm-infra-apparmor
|
||||
parent: openstack-helm-infra-functional
|
||||
timeout: 7200
|
||||
timeout: 9600
|
||||
pre-run: playbooks/osh-infra-upgrade-host.yaml
|
||||
run: playbooks/osh-infra-gate-runner.yaml
|
||||
post-run: playbooks/osh-infra-collect-logs.yaml
|
||||
@ -285,10 +285,38 @@
|
||||
- ./tools/deployment/apparmor/080-grafana.sh
|
||||
- ./tools/deployment/apparmor/085-rabbitmq.sh
|
||||
- ./tools/deployment/apparmor/095-nagios.sh
|
||||
- ./tools/deployment/apparmor/100-fluentbit.sh
|
||||
- ./tools/deployment/apparmor/110-fluentd-daemonset.sh
|
||||
- ./tools/deployment/apparmor/120-openvswitch.sh
|
||||
- ./tools/deployment/apparmor/130-postgresql.sh
|
||||
- job:
|
||||
name: openstack-helm-infra-aio-logging-apparmor
|
||||
parent: openstack-helm-infra-functional
|
||||
timeout: 7200
|
||||
pre-run:
|
||||
- playbooks/osh-infra-upgrade-host.yaml
|
||||
- playbooks/osh-infra-deploy-selenium.yaml
|
||||
run: playbooks/osh-infra-gate-runner.yaml
|
||||
post-run: playbooks/osh-infra-collect-logs.yaml
|
||||
nodeset: openstack-helm-single-node
|
||||
vars:
|
||||
osh_params:
|
||||
container_distro_name: ubuntu
|
||||
container_distro_version: bionic
|
||||
feature_gates: apparmor
|
||||
gate_scripts:
|
||||
- ./tools/deployment/osh-infra-logging/000-install-packages.sh
|
||||
- ./tools/deployment/osh-infra-logging/005-deploy-k8s.sh
|
||||
- ./tools/deployment/osh-infra-logging/010-ingress.sh
|
||||
- ./tools/deployment/osh-infra-logging/020-ceph.sh
|
||||
- ./tools/deployment/osh-infra-logging/025-ceph-ns-activate.sh
|
||||
- ./tools/deployment/osh-infra-logging/030-radosgw-osh-infra.sh
|
||||
- ./tools/deployment/osh-infra-logging/040-ldap.sh
|
||||
- ./tools/deployment/osh-infra-logging/050-elasticsearch.sh
|
||||
- ./tools/deployment/osh-infra-logging/060-fluentd-daemonset.sh
|
||||
- ./tools/deployment/osh-infra-logging/065-fluentd-deployment.sh
|
||||
- ./tools/deployment/osh-infra-logging/070-kibana.sh
|
||||
- ./tools/deployment/osh-infra-logging/600-kibana-selenium.sh || true
|
||||
|
||||
|
||||
|
||||
- job:
|
||||
name: openstack-helm-infra-aio-logging-apparmor
|
||||
|
Loading…
Reference in New Issue
Block a user