From 5d504333629df97f20f6d2316d518153fa3dffde Mon Sep 17 00:00:00 2001 From: diwakar thyagaraj Date: Wed, 1 Jul 2020 20:37:27 +0000 Subject: [PATCH] Enable Application Armor to all ceph key-generator pods. 1) Changed the pod name and container name to pick name dynamically for osd,mon,mgr and mds. 2) Added Init container for ceph-provisioners. Change-Id: I3e27d51c055010cff982ddb0951d01ea8adac234 Signed-off-by: diwakar thyagaraj --- ceph-mon/templates/job-keyring.yaml | 2 ++ ceph-mon/values_overrides/apparmor.yaml | 12 ++++++++++++ .../templates/job-cephfs-client-key.yaml | 2 +- ceph-provisioners/values_overrides/apparmor.yaml | 1 + 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/ceph-mon/templates/job-keyring.yaml b/ceph-mon/templates/job-keyring.yaml index 1dd0190ea..2b17ae94c 100644 --- a/ceph-mon/templates/job-keyring.yaml +++ b/ceph-mon/templates/job-keyring.yaml @@ -59,6 +59,8 @@ spec: metadata: labels: {{ tuple $envAll "ceph" $jobName | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ dict "envAll" $envAll "podName" $jobName "containerNames" (list $jobName "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "ceph" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ceph-mon/values_overrides/apparmor.yaml b/ceph-mon/values_overrides/apparmor.yaml index 4cdd5cdc6..250703bce 100644 --- a/ceph-mon/values_overrides/apparmor.yaml +++ b/ceph-mon/values_overrides/apparmor.yaml @@ -15,6 +15,18 @@ pod: ceph-storage-keys-generator: ceph-storage-keys-generator: runtime/default init: runtime/default + ceph-mon-keyring-generator: + ceph-mon-keyring-generator: runtime/default + init: runtime/default + ceph-mgr-keyring-generator: + init: runtime/default + ceph-mgr-keyring-generator: runtime/default + ceph-mds-keyring-generator: + init: runtime/default + ceph-mds-keyring-generator: runtime/default + ceph-osd-keyring-generator: + ceph-osd-keyring-generator: runtime/default + init: runtime/default bootstrap: enabled: true manifests: diff --git a/ceph-provisioners/templates/job-cephfs-client-key.yaml b/ceph-provisioners/templates/job-cephfs-client-key.yaml index 36ca2a505..a2ba6db27 100644 --- a/ceph-provisioners/templates/job-cephfs-client-key.yaml +++ b/ceph-provisioners/templates/job-cephfs-client-key.yaml @@ -88,7 +88,7 @@ spec: labels: {{ tuple $envAll "ceph" "cephfs-client-key-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} annotations: -{{ dict "envAll" $envAll "podName" "ceph-cephfs-client-key-generator" "containerNames" (list "ceph-storage-keys-generator") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{ dict "envAll" $envAll "podName" "ceph-cephfs-client-key-generator" "containerNames" (list "ceph-storage-keys-generator" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "cephfs_client_key_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ceph-provisioners/values_overrides/apparmor.yaml b/ceph-provisioners/values_overrides/apparmor.yaml index b8ce7cc95..0c3dee179 100644 --- a/ceph-provisioners/values_overrides/apparmor.yaml +++ b/ceph-provisioners/values_overrides/apparmor.yaml @@ -7,6 +7,7 @@ pod: init: runtime/default ceph-cephfs-client-key-generator: ceph-storage-keys-generator: runtime/default + init: runtime/default ceph-rbd-provisioner: ceph-rbd-provisioner: runtime/default init: runtime/default