diff --git a/openvswitch/templates/daemonset-ovs-db.yaml b/openvswitch/templates/daemonset-ovs-db.yaml index fed7b4413..780e8c87a 100644 --- a/openvswitch/templates/daemonset-ovs-db.yaml +++ b/openvswitch/templates/daemonset-ovs-db.yaml @@ -54,7 +54,7 @@ spec: annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} -{{ dict "envAll" $envAll "podName" "openvswitch-db" "containerNames" (list "openvswitch-db") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{ dict "envAll" $envAll "podName" "openvswitch-db" "containerNames" (list "openvswitch-db" "openvswitch-db-perms") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: shareProcessNamespace: true serviceAccountName: {{ $serviceAccountName }} diff --git a/openvswitch/templates/daemonset-ovs-vswitchd.yaml b/openvswitch/templates/daemonset-ovs-vswitchd.yaml index e47f1b152..8510b02e1 100644 --- a/openvswitch/templates/daemonset-ovs-vswitchd.yaml +++ b/openvswitch/templates/daemonset-ovs-vswitchd.yaml @@ -62,7 +62,7 @@ spec: annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} -{{ dict "envAll" $envAll "podName" "openvswitch-vswitchd" "containerNames" (list "openvswitch-vswitchd") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{ dict "envAll" $envAll "podName" "openvswitch-vswitchd" "containerNames" (list "openvswitch-vswitchd" "openvswitch-vswitchd-modules") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: shareProcessNamespace: true serviceAccountName: {{ $serviceAccountName }} diff --git a/openvswitch/values_overrides/apparmor.yaml b/openvswitch/values_overrides/apparmor.yaml new file mode 100644 index 000000000..193d29aa5 --- /dev/null +++ b/openvswitch/values_overrides/apparmor.yaml @@ -0,0 +1,10 @@ +#NOTE: Enable this with the correct policy +pod: + mandatory_access_control: + type: apparmor + openvswitch-vswitchd: + openvswitch-vswitchd: runtime/default + openvswitch-vswitchd-modules: runtime/default + openvswitch-db: + openvswitch-db: runtime/default + openvswitch-db-perms: runtime/default \ No newline at end of file diff --git a/tools/deployment/apparmor/120-openvswitch.sh b/tools/deployment/apparmor/120-openvswitch.sh deleted file mode 100755 index 9de11078e..000000000 --- a/tools/deployment/apparmor/120-openvswitch.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash - -# Copyright 2019 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -set -xe - -#NOTE: Lint and package chart -make openvswitch - -#NOTE: Deploy command -tee /tmp/openvswitch.yaml <