From 936397b36a6a21b76007d28ec18cc6bd1457a724 Mon Sep 17 00:00:00 2001 From: diwakar thyagaraj Date: Thu, 23 Jul 2020 00:29:07 +0000 Subject: [PATCH] Add Application Armor to Ceph-Provisioners-key-generator 1) Added to service account name insted of traditional pod name. Change-Id: I1c7ba9081ccf396b037861b496110251f2248fd2 Signed-off-by: diwakar thyagaraj --- ceph-provisioners/templates/job-namespace-client-key.yaml | 2 ++ ceph-provisioners/values_overrides/apparmor.yaml | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/ceph-provisioners/templates/job-namespace-client-key.yaml b/ceph-provisioners/templates/job-namespace-client-key.yaml index f187630e3..18d6380e9 100644 --- a/ceph-provisioners/templates/job-namespace-client-key.yaml +++ b/ceph-provisioners/templates/job-namespace-client-key.yaml @@ -85,6 +85,8 @@ spec: metadata: labels: {{ tuple $envAll "ceph" "client-key-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ dict "envAll" $envAll "podName" $serviceAccountName "containerNames" (list "ceph-storage-keys-generator" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "client_key_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ceph-provisioners/values_overrides/apparmor.yaml b/ceph-provisioners/values_overrides/apparmor.yaml index 0c3dee179..e13a067ac 100644 --- a/ceph-provisioners/values_overrides/apparmor.yaml +++ b/ceph-provisioners/values_overrides/apparmor.yaml @@ -14,4 +14,10 @@ pod: ceph-provisioner-test: init: runtime/default ceph-provisioner-helm-test: runtime/default + ceph-provisioners-ceph-ns-key-generator: + ceph-storage-keys-generator: runtime/default + init: runtime/default + +deployment: + client_secrets: true ...