From a892707f4164a47225475dcbdbaa333eed3285ae Mon Sep 17 00:00:00 2001
From: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
Date: Tue, 4 Aug 2020 17:13:35 +0000
Subject: [PATCH] Add Application Armor to cinder-Job

Change-Id: Icab982b9168381a7795719a6348a5d1c85b71453
Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
---
 cinder/templates/cron-job-cinder-volume-usage-audit.yaml | 2 ++
 cinder/templates/job-create-internal-tenant.yaml         | 2 ++
 cinder/values_overrides/apparmor.yaml                    | 6 ++++++
 3 files changed, 10 insertions(+)

diff --git a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
index 76103fe74f..632189d253 100644
--- a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
+++ b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
@@ -44,6 +44,8 @@ spec:
         metadata:
           labels:
 {{ tuple $envAll "cinder" "volume-usage-audit" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+          annotations:
+{{ dict "envAll" $envAll "podName" $serviceAccountName "containerNames" (list "cinder-volume-usage-audit" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
         spec:
 {{ dict "envAll" $envAll "application" "volume_usage_audit" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
           serviceAccountName: {{ $serviceAccountName }}
diff --git a/cinder/templates/job-create-internal-tenant.yaml b/cinder/templates/job-create-internal-tenant.yaml
index fc83d92a4e..d4afef7923 100644
--- a/cinder/templates/job-create-internal-tenant.yaml
+++ b/cinder/templates/job-create-internal-tenant.yaml
@@ -33,6 +33,8 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll $serviceName "create-internal-tenant" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" $serviceAccountName "containerNames" (list "create-internal-tenant" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "create_internal_tenant" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName | quote }}
diff --git a/cinder/values_overrides/apparmor.yaml b/cinder/values_overrides/apparmor.yaml
index 2c488ae61a..4b1c7bd7b0 100644
--- a/cinder/values_overrides/apparmor.yaml
+++ b/cinder/values_overrides/apparmor.yaml
@@ -26,4 +26,10 @@ pod:
       init: runtime/default
       cinder-test: runtime/default
       cinder-test-ks-user: runtime/default
+    cinder-create-internal-tenant:
+      init: runtime/default
+      create-internal-tenant: runtime/default
+    cinder-volume-usage-audit:
+      cinder-volume-usage-audit: runtime/default
+      init: runtime/default
 ...