Make access control annotations more generic.
This patch takes into consideration that there could be multiple options for mandatory access control in a cluster. The previously defined Helm toolkit function for generating a MAC annotation can now be specified generically, like in this example: mandatory_access_control: type: apparmor glance-api: init: runtime/default glance-api: runtime/default glance-perms: runtime/default ceph-keyring-placement: runtime/default glance-registry: init: runtime/default glance-registry: runtime/default If no MAC is required, then the "type" can be set to null, and no annotation would be generated. The only MAC type supported at the moment is "apparmor". Change-Id: I6b45533d73af82e8fff353b0ed9f29f0891f24f1
This commit is contained in:
parent
04c8f03532
commit
598faeb8db
@ -21,7 +21,8 @@ abstract: |
|
|||||||
annotation, but in the future could generate others.
|
annotation, but in the future could generate others.
|
||||||
values: |
|
values: |
|
||||||
pod:
|
pod:
|
||||||
apparmor:
|
mandatory_access_control:
|
||||||
|
type: apparmor
|
||||||
myPodName:
|
myPodName:
|
||||||
myContainerName: localhost/myAppArmor
|
myContainerName: localhost/myAppArmor
|
||||||
mySecondContainerName: localhost/secondProfile # optional
|
mySecondContainerName: localhost/secondProfile # optional
|
||||||
@ -40,12 +41,22 @@ note: |
|
|||||||
{{- $envAll := index . "envAll" -}}
|
{{- $envAll := index . "envAll" -}}
|
||||||
{{- $podName := index . "podName" -}}
|
{{- $podName := index . "podName" -}}
|
||||||
{{- $containerNames := index . "containerNames" -}}
|
{{- $containerNames := index . "containerNames" -}}
|
||||||
{{- if hasKey (index $envAll.Values.pod "apparmor") $podName -}}
|
{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
|
||||||
|
{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
|
||||||
|
{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
|
||||||
|
{{- if $macType -}}
|
||||||
|
{{- if eq $macType "apparmor" -}}
|
||||||
|
{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
|
||||||
{{- range $name := $containerNames -}}
|
{{- range $name := $containerNames -}}
|
||||||
{{- $apparmorProfile := index $envAll.Values.pod.apparmor $podName $name -}}
|
{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
|
||||||
{{- if $apparmorProfile }}
|
{{- if $apparmorProfile }}
|
||||||
container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
|
container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user