openstack/openstack-helm-infra
Code Issues Proposed changes

Merge "Enable runtime Apparmor default for All Ceph Components"

Browse Source
This commit is contained in:
Zuul 2020-02-24 19:00:27 +00:00 committed by Gerrit Code Review
commit e54f5f778f
16 changed files with 69 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ceph-client/templates/deployment-checkdns.yaml
View File

@ -68,6 +68,7 @@ spec:
{{ tuple $envAll "ceph" "checkdns" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "ceph" "checkdns" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations: annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "ceph-checkdns" "containerNames" (list "ceph-checkdns" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "checkdns" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "checkdns" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}

2
ceph-client/templates/deployment-mds.yaml
View File

@ -43,7 +43,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "ceph-mds" "containerNames" (list "ceph-mds") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} {{ dict "envAll" $envAll "podName" "ceph-mds" "containerNames" (list "ceph-mds" "ceph-init-dirs") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "mds" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "mds" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}

2
ceph-client/templates/deployment-mgr.yaml
View File

@ -43,7 +43,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "ceph-mgr" "containerNames" (list "ceph-mgr") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} {{ dict "envAll" $envAll "podName" "ceph-mgr" "containerNames" (list "ceph-mgr" "ceph-init-dirs") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "mgr" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "mgr" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}

2
ceph-client/templates/job-rbd-pool.yaml
View File

@ -32,6 +32,8 @@ spec:
name: ceph-rbd-pool name: ceph-rbd-pool
labels: labels:
{{ tuple $envAll "ceph" "rbd-pool" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "ceph" "rbd-pool" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "ceph-rbd-pool" "containerNames" (list "ceph-rbd-pool" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "rbd_pool" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "rbd_pool" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}

16
ceph-client/values_overrides/apparmor.yaml Normal file
View File

@ -0,0 +1,16 @@
pod:
mandatory_access_control:
type: apparmor
ceph-checkdns:
ceph-checkdns: runtime/default
init: runtime/default
ceph-mds:
ceph-mds: runtime/default
ceph-init-dirs: runtime/default
ceph-mgr:
ceph-mgr: runtime/default
ceph-init-dirs: runtime/default
ceph-rbd-pool:
ceph-rbd-pool: runtime/default
init: runtime/default

1
ceph-mon/templates/daemonset-mon.yaml
View File

@ -68,6 +68,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "ceph-mon" "containerNames" (list "ceph-mon" "ceph-init-dirs" "ceph-log-ownership") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "mon" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "mon" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}

2
ceph-mon/templates/deployment-moncheck.yaml
View File

@ -39,7 +39,7 @@ spec:
{{ tuple $envAll "ceph" "moncheck" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "ceph" "moncheck" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations: annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "ceph-mon" "containerNames" (list "ceph-mon") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} {{ dict "envAll" $envAll "podName" "ceph-mon-check" "containerNames" (list "ceph-mon" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "moncheck" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "moncheck" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}

5
ceph-mon/templates/job-storage-admin-keys.yaml
View File

@ -58,6 +58,11 @@ spec:
metadata: metadata:
labels: labels:
{{ tuple $envAll "ceph" "storage-keys-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "ceph" "storage-keys-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "ceph-storage-keys-generator" "containerNames" (list "ceph-storage-keys-generator" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "storage_keys_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "storage_keys_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}

15
ceph-mon/values_overrides/apparmor.yaml Normal file
View File

@ -0,0 +1,15 @@
pod:
mandatory_access_control:
type: apparmor
ceph-mon:
ceph-init-dirs: runtime/default
ceph-mon: runtime/default
ceph-log-ownership: runtime/default
ceph-mon-check:
ceph-mon: runtime/default
init: runtime/default
ceph-bootstrap:
ceph-bootstrap: runtime/default
ceph-storage-keys-generator:
ceph-storage-keys-generator: runtime/default
init: runtime/default

2
ceph-osd/templates/daemonset-osd.yaml
View File

@ -41,7 +41,7 @@ spec:
{{ tuple $envAll "ceph" "osd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "ceph" "osd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations: annotations:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "ceph-osd-default" "containerNames" (list "ceph-osd-default") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} {{ dict "envAll" $envAll "podName" "ceph-osd-default" "containerNames" (list "ceph-osd-default" "ceph-init-dirs" "ceph-log-ownership" "osd-init" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "osd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "osd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}

9
ceph-osd/values_overrides/apparmor.yaml Normal file
View File

@ -0,0 +1,9 @@
pod:
mandatory_access_control:
type: apparmor
ceph-osd-default:
ceph-osd-default: runtime/default
ceph-init-dirs: runtime/default
ceph-log-ownership: runtime/default
osd-init: runtime/default
init: runtime/default

1
ceph-provisioners/templates/deployment-cephfs-provisioner.yaml
View File

@ -152,6 +152,7 @@ spec:
{{ tuple $envAll "cephfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "cephfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations: annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "ceph-cephfs-provisioner" "containerNames" (list "ceph-cephfs-provisioner" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}

1
ceph-provisioners/templates/deployment-rbd-provisioner.yaml
View File

@ -142,6 +142,7 @@ spec:
{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations: annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "ceph-rbd-provisioner" "containerNames" (list "ceph-rbd-provisioner" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}

2
ceph-provisioners/templates/job-cephfs-client-key.yaml
View File

@ -89,6 +89,8 @@ spec:
metadata: metadata:
labels: labels:
{{ tuple $envAll "ceph" "cephfs-client-key-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "ceph" "cephfs-client-key-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "ceph-cephfs-client-key-generator" "containerNames" (list "ceph-storage-keys-generator") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "cephfs_client_key_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "cephfs_client_key_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}

11
ceph-provisioners/values_overrides/apparmor.yaml Normal file
View File

@ -0,0 +1,11 @@
pod:
mandatory_access_control:
type: apparmor
ceph-cephfs-provisioner:
ceph-cephfs-provisioner: runtime/default
init: runtime/default
ceph-cephfs-client-key-generator:
ceph-storage-keys-generator: runtime/default
ceph-rbd-provisioner:
ceph-rbd-provisioner: runtime/default
init: runtime/default

2
tools/deployment/common/get-values-overrides.sh
View File

@ -19,7 +19,7 @@ HELM_CHART="$1"
: "${HELM_CHART_ROOT_PATH:="../openstack-helm-infra"}" : "${HELM_CHART_ROOT_PATH:="../openstack-helm-infra"}"
: "${CONTAINER_DISTRO_NAME:="ubuntu"}" : "${CONTAINER_DISTRO_NAME:="ubuntu"}"
: "${CONTAINER_DISTRO_VERSION:="xenial"}" : "${CONTAINER_DISTRO_VERSION:="xenial"}"
: "${FEATURE_GATES:=""}" : "${FEATURE_GATES:="apparmor"}"
OSH_INFRA_FEATURE_MIX="${FEATURE_GATES},${CONTAINER_DISTRO_NAME}_${CONTAINER_DISTRO_VERSION},${CONTAINER_DISTRO_NAME}" OSH_INFRA_FEATURE_MIX="${FEATURE_GATES},${CONTAINER_DISTRO_NAME}_${CONTAINER_DISTRO_VERSION},${CONTAINER_DISTRO_NAME}"
function echoerr () { function echoerr () {