KHIYANI, RAHUL (rk0850) 3332968caa Add apparmor profile to keystone-webhook container
Change-Id: I583c4c01e2c92c16705420fe726e3e7648a16705
2020-08-12 18:57:21 -05:00

558 lines
12 KiB
YAML

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
labels:
api:
node_selector_key: openstack-control-plane
node_selector_value: enabled
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
images:
tags:
kubernetes_keystone_webhook: docker.io/k8scloudprovider/k8s-keystone-auth:v0.2.0
scripted_test: docker.io/openstackhelm/heat:newton-ubuntu_xenial
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
pull_policy: IfNotPresent
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
network:
api:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/secure-backends: "true"
external_policy_local: false
node_port:
enabled: false
port: 30601
pod:
security_context:
kubernetes_keystone_webhook:
pod:
runAsUser: 65534
container:
kubernetes_keystone_webhook:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
mandatory_access_control:
type: apparmor
kubernetes-keystone-webhook:
kubernetes-keystone-webhook: runtime/default
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
weight:
default: 10
replicas:
api: 1
resources:
enabled: false
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "200m"
jobs:
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "200m"
mounts:
kubernetes_keystone_webhook_api:
init_container: null
kubernetes_keystone_webhook_api: null
kubernetes_keystone_webhook_tests:
init_container: null
kubernetes_keystone_webhook_tests: null
release_group: null
conf:
policy:
- resource:
verbs:
- "*"
resources:
- "*"
namespace: "*"
version: "*"
match:
- type: role
values:
- admin
- resource:
verbs:
- "*"
resources:
- "*"
namespace: "kube-system"
version: "*"
match:
- type: role
values:
- kube-system-admin
- resource:
verbs:
- get
- list
- watch
resources:
- "*"
namespace: "kube-system"
version: "*"
match:
- type: role
values:
- kube-system-viewer
- resource:
verbs:
- "*"
resources:
- "*"
namespace: "openstack"
version: "*"
match:
- type: project
values:
- openstack-system
- resource:
verbs:
- "*"
resources:
- "*"
namespace: "*"
version: "*"
match:
- type: role
values:
- admin_k8cluster
- nonresource:
verbs:
- "*"
path: "*"
match:
- type: role
values:
- admin_k8cluster
- resource:
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
namespace: "*"
version: ""
match:
- type: role
values:
- admin_k8cluster_editor
- resource:
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
- namespaces
verbs:
- get
- list
- watch
namespace: "*"
version: ""
match:
- type: role
values:
- admin_k8cluster_editor
- resource:
resources:
- serviceaccounts
verbs:
- impersonate
namespace: "*"
version: ""
match:
- type: role
values:
- admin_k8cluster_editor
- resource:
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
namespace: "*"
version: "apps"
match:
- type: role
values:
- admin_k8cluster_editor
- resource:
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
namespace: "*"
version: "autoscaling"
match:
- type: role
values:
- admin_k8cluster_editor
- resource:
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
namespace: "*"
version: "batch"
match:
- type: role
values:
- admin_k8cluster_editor
- resource:
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
namespace: "*"
version: "extensions"
match:
- type: role
values:
- admin_k8cluster_editor
- resource:
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
namespace: "*"
version: "policy"
match:
- type: role
values:
- admin_k8cluster_editor
- resource:
resources:
- networkpolicies
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
namespace: "*"
version: "networking.k8s.io"
match:
- type: role
values:
- admin_k8cluster_editor
- resource:
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
- namespaces
verbs:
- get
- list
- watch
namespace: "*"
version: ""
match:
- type: role
values:
- admin_k8cluster_viewer
- resource:
resources:
- daemonsets
- deployments
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
verbs:
- get
- list
- watch
namespace: "*"
version: "apps"
match:
- type: role
values:
- admin_k8cluster_viewer
- resource:
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
namespace: "*"
version: "autoscaling"
match:
- type: role
values:
- admin_k8cluster_viewer
- resource:
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
namespace: "*"
version: "batch"
match:
- type: role
values:
- admin_k8cluster_viewer
- resource:
resources:
- daemonsets
- deployments
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- get
- list
- watch
namespace: "*"
version: "extensions"
match:
- type: role
values:
- admin_k8cluster_viewer
- resource:
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
namespace: "*"
version: "policy"
match:
- type: role
values:
- admin_k8cluster_viewer
- resource:
resources:
- networkpolicies
verbs:
- get
- list
- watch
namespace: "*"
version: "networking.k8s.io"
match:
- type: role
values:
- admin_k8cluster_viewer
secrets:
identity:
admin: kubernetes-keystone-webhook-admin
certificates:
api: kubernetes-keystone-webhook-certs
endpoints:
cluster_domain_suffix: cluster.local
kubernetes:
auth:
api:
tls:
crt: null
key: null
identity:
name: keystone
namespace: null
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
hosts:
default: keystone
internal: keystone-api
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
api:
default: 80
internal: 5000
kubernetes_keystone_webhook:
namespace: null
name: k8sksauth
hosts:
default: k8sksauth-api
public: k8sksauth
host_fqdn_override:
default: null
path:
default: /webhook
scheme:
default: https
port:
api:
default: 8443
public: 443
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- k8sksauth-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
api:
jobs: null
services: null
manifests:
api_secret: true
configmap_etc: true
configmap_bin: true
deployment: true
ingress_webhook: true
pod_test: true
secret_certificates: true
secret_keystone: true
service_ingress_api: true
service: true
...