Make access control annotations more generic.

This patch takes into consideration that there could be multiple
options for mandatory access control in a cluster. The previously
defined Helm toolkit function for generating a MAC annotation can
now be specified generically, like in this example:

  mandatory_access_control:
    type: apparmor
    glance-api:
      init: runtime/default
      glance-api: runtime/default
      glance-perms: runtime/default
      ceph-keyring-placement: runtime/default
    glance-registry:
      init: runtime/default
      glance-registry: runtime/default

If no MAC is required, then the "type" can be set to null,
and no annotation would be generated. The only MAC type supported
at the moment is "apparmor".

Change-Id: I6b45533d73af82e8fff353b0ed9f29f0891f24f1
This commit is contained in:
Cliff Parsons 2018-10-26 17:33:32 -05:00 committed by Tin Lam
parent 04c8f03532
commit 598faeb8db

View File

@ -21,7 +21,8 @@ abstract: |
annotation, but in the future could generate others. annotation, but in the future could generate others.
values: | values: |
pod: pod:
apparmor: mandatory_access_control:
type: apparmor
myPodName: myPodName:
myContainerName: localhost/myAppArmor myContainerName: localhost/myAppArmor
mySecondContainerName: localhost/secondProfile # optional mySecondContainerName: localhost/secondProfile # optional
@ -40,12 +41,22 @@ note: |
{{- $envAll := index . "envAll" -}} {{- $envAll := index . "envAll" -}}
{{- $podName := index . "podName" -}} {{- $podName := index . "podName" -}}
{{- $containerNames := index . "containerNames" -}} {{- $containerNames := index . "containerNames" -}}
{{- if hasKey (index $envAll.Values.pod "apparmor") $podName -}} {{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
{{- if $macType -}}
{{- if eq $macType "apparmor" -}}
{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
{{- range $name := $containerNames -}} {{- range $name := $containerNames -}}
{{- $apparmorProfile := index $envAll.Values.pod.apparmor $podName $name -}} {{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
{{- if $apparmorProfile }} {{- if $apparmorProfile }}
container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }} container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}