diff --git a/charts/deckhand/templates/deployment.yaml b/charts/deckhand/templates/deployment.yaml index 6cab808a..6c3c3d8d 100644 --- a/charts/deckhand/templates/deployment.yaml +++ b/charts/deckhand/templates/deployment.yaml @@ -40,6 +40,7 @@ spec: {{ $labels | indent 8 }} annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} +{{ dict "envAll" $envAll "podName" "deckhand-api" "containerNames" (list "deckhand-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: diff --git a/charts/deckhand/values.yaml b/charts/deckhand/values.yaml index b0024c9a..36218469 100644 --- a/charts/deckhand/values.yaml +++ b/charts/deckhand/values.yaml @@ -325,6 +325,10 @@ conf: formatter_simple: format: "%(asctime)s.%(msecs)03d %(process)d %(levelname)s: %(message)s" pod: + mandatory_access_control: + type: apparmor + deckhand-api: + deckhand-api: runtime/default security_context: deckhand: pod: diff --git a/tools/gate/playbooks/airskiff-deploy.yaml b/tools/gate/playbooks/airskiff-deploy.yaml index a9f35056..31406382 100644 --- a/tools/gate/playbooks/airskiff-deploy.yaml +++ b/tools/gate/playbooks/airskiff-deploy.yaml @@ -30,15 +30,15 @@ args: chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}" - - name: Deploy Kubernetes with Minikube + - name: Setup Apparmor shell: | - ./tools/deployment/airskiff/developer/010-deploy-k8s.sh + ./tools/deployment/airskiff/developer/009-setup-apparmor.sh args: chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}" - - name: Setup AppArmor + - name: Deploy Kubernetes with Minikube shell: | - ./tools/deployment/airskiff/developer/015-setup-apparmor.sh + ./tools/deployment/airskiff/developer/010-deploy-k8s.sh args: chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}"