From 1c464900940bc21b0393487eb23d7c7d8f03e4b1 Mon Sep 17 00:00:00 2001 From: "dt241s@att.com" Date: Sat, 22 Feb 2020 02:55:52 +0000 Subject: [PATCH] Enable Apparmor to Cinder Co-Authored by gage Hugo . This Patchset creates Zuul Gate Jobs for apparmor to support Cinder. Change-Id: I7705512a3b50560b183e19f0868be40078241cdd --- cinder/templates/deployment-api.yaml | 1 + cinder/templates/deployment-backup.yaml | 1 + cinder/templates/deployment-scheduler.yaml | 1 + cinder/templates/deployment-volume.yaml | 1 + cinder/templates/job-backup-storage-init.yaml | 2 ++ cinder/values_overrides/apparmor.yaml | 23 ++++++++++++++++++ zuul.d/jobs-openstack-helm.yaml | 24 +++++++++++++++++++ zuul.d/project.yaml | 2 ++ 8 files changed, 55 insertions(+) create mode 100644 cinder/values_overrides/apparmor.yaml diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml index 85fd4a401e..af8b6ae0b9 100644 --- a/cinder/templates/deployment-api.yaml +++ b/cinder/templates/deployment-api.yaml @@ -45,6 +45,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} +{{ dict "envAll" $envAll "podName" "cinder-api" "containerNames" (list "cinder-api" "ceph-coordination-volume-perms" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} {{ dict "envAll" $envAll "application" "cinder_api" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} diff --git a/cinder/templates/deployment-backup.yaml b/cinder/templates/deployment-backup.yaml index 68aead95f8..c755691a10 100755 --- a/cinder/templates/deployment-backup.yaml +++ b/cinder/templates/deployment-backup.yaml @@ -45,6 +45,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} +{{ dict "envAll" $envAll "podName" "cinder-backup" "containerNames" (list "cinder-backup" "ceph-coordination-volume-perms" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} {{ dict "envAll" $envAll "application" "cinder_backup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml index 813ab1b237..78ce70222c 100644 --- a/cinder/templates/deployment-scheduler.yaml +++ b/cinder/templates/deployment-scheduler.yaml @@ -45,6 +45,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} +{{ dict "envAll" $envAll "podName" "cinder-scheduler" "containerNames" (list "cinder-scheduler" "ceph-coordination-volume-perms" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} {{ dict "envAll" $envAll "application" "cinder_scheduler" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml index 3abb21838e..7af7050e7f 100755 --- a/cinder/templates/deployment-volume.yaml +++ b/cinder/templates/deployment-volume.yaml @@ -45,6 +45,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} +{{ dict "envAll" $envAll "podName" "cinder-volume" "containerNames" (list "cinder-volume" "ceph-coordination-volume-perms" "init-cinder-conf" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} {{ dict "envAll" $envAll "application" "cinder_volume" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} diff --git a/cinder/templates/job-backup-storage-init.yaml b/cinder/templates/job-backup-storage-init.yaml index 2d2bde76c4..8df707744c 100644 --- a/cinder/templates/job-backup-storage-init.yaml +++ b/cinder/templates/job-backup-storage-init.yaml @@ -59,6 +59,8 @@ spec: metadata: labels: {{ tuple $envAll "cinder" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ dict "envAll" $envAll "podName" "cinder-backup-storage-init" "containerNames" (list "cinder-backup-storage-init" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} {{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} diff --git a/cinder/values_overrides/apparmor.yaml b/cinder/values_overrides/apparmor.yaml new file mode 100644 index 0000000000..d31f16a3f7 --- /dev/null +++ b/cinder/values_overrides/apparmor.yaml @@ -0,0 +1,23 @@ +pod: + mandatory_access_control: + type: apparmor + cinder-api: + cinder-api: runtime/default + ceph-coordination-volume-perms: runtime/default + init: runtime/default + cinder-backup: + cinder-backup: runtime/default + ceph-coordination-volume-perms: runtime/default + init: runtime/default + cinder-scheduler: + cinder-scheduler: runtime/default + ceph-coordination-volume-perms: runtime/default + init: runtime/default + cinder-volume: + cinder-volume: runtime/default + ceph-coordination-volume-perms: runtime/default + init-cinder-conf: runtime/default + init: runtime/default + cinder-backup-storage-init: + cinder-backup-storage-init: runtime/default + init: runtime/default \ No newline at end of file diff --git a/zuul.d/jobs-openstack-helm.yaml b/zuul.d/jobs-openstack-helm.yaml index 026fb0a380..870829e0c3 100644 --- a/zuul.d/jobs-openstack-helm.yaml +++ b/zuul.d/jobs-openstack-helm.yaml @@ -291,6 +291,30 @@ - ./tools/deployment/developer/common/170-setup-gateway.sh - ./tools/deployment/developer/common/900-use-it.sh +- job: + name: openstack-helm-apparmor-cinder + parent: openstack-helm-chart-deploy + run: tools/gate/playbooks/osh-gate-runner.yaml + timeout: 9600 + vars: + osh_params: + openstack_release: stein + container_distro_name: ubuntu + container_distro_version: bionic + feature_gates: apparmor + gate_scripts: + - ./tools/deployment/common/install-packages.sh + - ./tools/deployment/common/deploy-k8s.sh + - ./tools/deployment/common/setup-client.sh + - ./tools/deployment/component/ceph/ceph.sh + - ./tools/deployment/component/ceph/ceph-ns-activate.sh + - ./tools/deployment/component/common/ingress.sh + - ./tools/deployment/component/common/mariadb.sh + - ./tools/deployment/component/common/memcached.sh + - ./tools/deployment/component/common/rabbitmq.sh + - ./tools/deployment/component/keystone/keystone.sh + - ./tools/deployment/component/cinder/cinder.sh + - job: name: openstack-helm-netpol-compute-kit-train parent: openstack-helm-chart-deploy diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index c4925e403b..b8245bb42f 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -46,6 +46,8 @@ - openstack-helm-horizon - openstack-helm-apparmor: voting: false + - openstack-helm-apparmor-cinder: + voting: false - openstack-helm-netpol-compute-kit - openstack-helm-netpol-compute-kit-train - openstack-helm-netpol-cinder