Add Application Armor to Ceph-Provisioners-key-generator

1) Added to service account name insted of traditional pod name. Change-Id: I1c7ba9081ccf396b037861b496110251f2248fd2 Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
2020-07-23 00:29:07 +00:00 · 2020-07-23 00:29:07 +00:00 · 936397b36a
commit 936397b36a
parent 68940203db
2 changed files with 8 additions and 0 deletions
--- a/ceph-provisioners/templates/job-namespace-client-key.yaml
+++ b/ceph-provisioners/templates/job-namespace-client-key.yaml
@ -85,6 +85,8 @@ spec:
    metadata:
      labels:
 {{ tuple $envAll "ceph" "client-key-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" $serviceAccountName "containerNames" (list "ceph-storage-keys-generator" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "client_key_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
--- a/ceph-provisioners/values_overrides/apparmor.yaml
+++ b/ceph-provisioners/values_overrides/apparmor.yaml
@ -14,4 +14,10 @@ pod:
    ceph-provisioner-test:
      init: runtime/default
      ceph-provisioner-helm-test: runtime/default
+    ceph-provisioners-ceph-ns-key-generator:
+      ceph-storage-keys-generator: runtime/default
+      init: runtime/default
+
+deployment:
+  client_secrets: true
 ...