From 641bb04d4ad16b21e209d4a4f80384d4ef14cd61 Mon Sep 17 00:00:00 2001
From: Pete Birley <pete@port.direct>
Date: Mon, 13 Jan 2020 13:03:17 -0600
Subject: [PATCH] Apparmor: Update to use the runtime default profile

This moves from using the docker profile to the default
runtime profile - which allows container engines other than
docker to work out of the box.

Change-Id: Ica5a48f8c43b90f07969b41e10dc472a772b5b43
Signed-off-by: Pete Birley <pete@port.direct>
---
 calico/values.yaml                                          | 2 +-
 elasticsearch/values.yaml                                   | 6 +++---
 tools/deployment/apparmor/020-ceph.sh                       | 2 +-
 tools/deployment/apparmor/040-memcached.sh                  | 2 +-
 tools/deployment/apparmor/050-prometheus-alertmanager.sh    | 2 +-
 tools/deployment/apparmor/060-prometheus-node-exporter.sh   | 2 +-
 .../apparmor/070-prometheus-openstack-exporter.sh           | 2 +-
 .../deployment/apparmor/080-prometheus-process-exporter.sh  | 2 +-
 tools/deployment/apparmor/090-elasticsearch.sh              | 6 +++---
 tools/deployment/apparmor/100-fluentbit.sh                  | 2 +-
 tools/deployment/apparmor/110-fluentd-daemonset.sh          | 2 +-
 tools/deployment/apparmor/120-openvswitch.sh                | 4 ++--
 12 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/calico/values.yaml b/calico/values.yaml
index 1e0519e54..e70151ff7 100644
--- a/calico/values.yaml
+++ b/calico/values.yaml
@@ -136,7 +136,7 @@ pod:
   mandatory_access_control:
     type: apparmor
     calico-node:
-      calico-node: localhost/docker-default
+      calico-node: runtime/default
 
 dependencies:
   dynamic:
diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml
index b96b01205..03b6e4918 100644
--- a/elasticsearch/values.yaml
+++ b/elasticsearch/values.yaml
@@ -139,11 +139,11 @@ pod:
   mandatory_access_control:
     type: apparmor
     elasticsearch-master:
-      elasticsearch-master: localhost/docker-default
+      elasticsearch-master: runtime/default
     elasticsearch-data:
-      elasticsearch-data: localhost/docker-default
+      elasticsearch-data: runtime/default
     elasticsearch-client:
-      elasticsearch-client: localhost/docker-default
+      elasticsearch-client: runtime/default
   security_context:
     exporter:
       pod:
diff --git a/tools/deployment/apparmor/020-ceph.sh b/tools/deployment/apparmor/020-ceph.sh
index 0010f3953..0d38e30ee 100755
--- a/tools/deployment/apparmor/020-ceph.sh
+++ b/tools/deployment/apparmor/020-ceph.sh
@@ -194,7 +194,7 @@ pod:
   mandatory_access_control:
     type: apparmor
     ceph-osd-default:
-      ceph-osd-default: localhost/docker-default
+      ceph-osd-default: runtime/default
 EOF
 
 for CHART in ceph-mon ceph-client ceph-provisioners; do
diff --git a/tools/deployment/apparmor/040-memcached.sh b/tools/deployment/apparmor/040-memcached.sh
index b9c1cc89c..d7f474eb9 100755
--- a/tools/deployment/apparmor/040-memcached.sh
+++ b/tools/deployment/apparmor/040-memcached.sh
@@ -30,7 +30,7 @@ pod:
   mandatory_access_control:
     type: apparmor
     memcached:
-      memcached: localhost/docker-default
+      memcached: runtime/default
 EOF
 
 # NOTE: Deploy command
diff --git a/tools/deployment/apparmor/050-prometheus-alertmanager.sh b/tools/deployment/apparmor/050-prometheus-alertmanager.sh
index 7a90edd5b..62f6a9002 100755
--- a/tools/deployment/apparmor/050-prometheus-alertmanager.sh
+++ b/tools/deployment/apparmor/050-prometheus-alertmanager.sh
@@ -25,7 +25,7 @@ pod:
   mandatory_access_control:
     type: apparmor
     alertmanager:
-      alertmanager: localhost/docker-default
+      alertmanager: runtime/default
 storage:
   enabled: false
 EOF
diff --git a/tools/deployment/apparmor/060-prometheus-node-exporter.sh b/tools/deployment/apparmor/060-prometheus-node-exporter.sh
index b7b6ab4bf..2dadeef71 100755
--- a/tools/deployment/apparmor/060-prometheus-node-exporter.sh
+++ b/tools/deployment/apparmor/060-prometheus-node-exporter.sh
@@ -25,7 +25,7 @@ pod:
   mandatory_access_control:
     type: apparmor
     node-exporter:
-      node-exporter: localhost/docker-default
+      node-exporter: runtime/default
 EOF
 helm upgrade --install prometheus-node-exporter ./prometheus-node-exporter \
     --namespace=kube-system \
diff --git a/tools/deployment/apparmor/070-prometheus-openstack-exporter.sh b/tools/deployment/apparmor/070-prometheus-openstack-exporter.sh
index c708780cf..331a5d9eb 100755
--- a/tools/deployment/apparmor/070-prometheus-openstack-exporter.sh
+++ b/tools/deployment/apparmor/070-prometheus-openstack-exporter.sh
@@ -32,7 +32,7 @@ pod:
   mandatory_access_control:
     type: apparmor
     prometheus-openstack-exporter:
-      openstack-metrics-exporter: localhost/docker-default
+      openstack-metrics-exporter: runtime/default
 EOF
 helm upgrade --install prometheus-openstack-exporter ./prometheus-openstack-exporter \
     --namespace=openstack \
diff --git a/tools/deployment/apparmor/080-prometheus-process-exporter.sh b/tools/deployment/apparmor/080-prometheus-process-exporter.sh
index 939930ba9..24c0cb665 100755
--- a/tools/deployment/apparmor/080-prometheus-process-exporter.sh
+++ b/tools/deployment/apparmor/080-prometheus-process-exporter.sh
@@ -25,7 +25,7 @@ pod:
   mandatory_access_control:
     type: apparmor
     process-exporter:
-      process-exporter: localhost/docker-default
+      process-exporter: runtime/default
 EOF
 helm upgrade --install prometheus-process-exporter ./prometheus-process-exporter \
     --namespace=kube-system \
diff --git a/tools/deployment/apparmor/090-elasticsearch.sh b/tools/deployment/apparmor/090-elasticsearch.sh
index 16e7fbd19..83b313526 100755
--- a/tools/deployment/apparmor/090-elasticsearch.sh
+++ b/tools/deployment/apparmor/090-elasticsearch.sh
@@ -31,11 +31,11 @@ pod:
   mandatory_access_control:
     type: apparmor
     elasticsearch-master:
-      elasticsearch-master: localhost/docker-default
+      elasticsearch-master: runtime/default
     elasticsearch-data:
-      elasticsearch-data: localhost/docker-default
+      elasticsearch-data: runtime/default
     elasticsearch-client:
-      elasticsearch-client: localhost/docker-default
+      elasticsearch-client: runtime/default
   replicas:
     data: 1
     master: 2
diff --git a/tools/deployment/apparmor/100-fluentbit.sh b/tools/deployment/apparmor/100-fluentbit.sh
index bea993f36..cacdb8aa6 100755
--- a/tools/deployment/apparmor/100-fluentbit.sh
+++ b/tools/deployment/apparmor/100-fluentbit.sh
@@ -23,7 +23,7 @@ pod:
   mandatory_access_control:
     type: apparmor
     fluentbit:
-      fluentbit: localhost/docker-default
+      fluentbit: runtime/default
 EOF
 
 #NOTE: Deploy command
diff --git a/tools/deployment/apparmor/110-fluentd-daemonset.sh b/tools/deployment/apparmor/110-fluentd-daemonset.sh
index 27f38afbc..2e870af96 100755
--- a/tools/deployment/apparmor/110-fluentd-daemonset.sh
+++ b/tools/deployment/apparmor/110-fluentd-daemonset.sh
@@ -29,7 +29,7 @@ pod:
   mandatory_access_control:
     type: apparmor
     fluentd:
-      fluentd: localhost/docker-default
+      fluentd: runtime/default
 conf:
   fluentd:
     template: |
diff --git a/tools/deployment/apparmor/120-openvswitch.sh b/tools/deployment/apparmor/120-openvswitch.sh
index 5f3dc9214..9de11078e 100755
--- a/tools/deployment/apparmor/120-openvswitch.sh
+++ b/tools/deployment/apparmor/120-openvswitch.sh
@@ -25,9 +25,9 @@ pod:
   mandatory_access_control:
     type: apparmor
     openvswitch-vswitchd:
-      openvswitch-vswitchd: localhost/docker-default
+      openvswitch-vswitchd: runtime/default
     openvswitch-db:
-      openvswitch-db: localhost/docker-default
+      openvswitch-db: runtime/default
 EOF
 
 #NOTE: Deploy command