Adding AppArmor profile to Calico v3

- Adds AppArmor profile to the privileged pod
  using kubernetes_manadatory_access_control_annotation.
- Added apparmor install to the gate jobs.

Change-Id: I8b53e0b8ddc2695fa278481edf5688efa23ab06b
This commit is contained in:
Aaron Sheffield 2018-11-01 11:32:04 -05:00 committed by Pete Birley
parent da99ce9a07
commit 8b201ea0eb
4 changed files with 54 additions and 0 deletions

View File

@ -108,6 +108,7 @@ spec:
# priority scheduling and that its resources are reserved # priority scheduling and that its resources are reserved
# if it ever gets evicted. # if it ever gets evicted.
scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/critical-pod: ''
{{ dict "envAll" $envAll "podName" "calico-node" "containerNames" (list "calico-node") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
{{- if .Values.monitoring.prometheus.enabled }} {{- if .Values.monitoring.prometheus.enabled }}
{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }} {{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }}
{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }} {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}

View File

@ -100,6 +100,10 @@ pod:
disruption_budget: disruption_budget:
controllers: controllers:
min_available: 0 min_available: 0
mandatory_access_control:
type: apparmor
calico-node:
calico-node: localhost/docker-default
dependencies: dependencies:
dynamic: dynamic:

View File

@ -39,3 +39,15 @@
- upgrade-host - upgrade-host
- start-zuul-console - start-zuul-console
- disable-local-nameserver - disable-local-nameserver
- hosts: all
vars_files:
- vars.yaml
vars:
work_dir: "{{ zuul.project.src_dir }}/{{ zuul_osh_infra_relative_path | default('') }}"
gather_facts: False
become: yes
roles:
- deploy-apparmor
tags:
- deploy-apparmor

View File

@ -0,0 +1,37 @@
# Copyright 2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- block:
- name: ensuring AppArmor is deployed on host
when: ansible_distribution == 'Ubuntu'
include_role:
name: deploy-package
tasks_from: dist
vars:
packages:
deb:
- apparmor
- name: "Enable AppArmor"
when: ansible_distribution == 'Ubuntu'
become: true
become_user: root
shell: |-
set -xe
systemctl enable apparmor
systemctl start apparmor
systemctl status apparmor.service
args:
executable: /bin/bash
ignore_errors: True