Add Docker default AppArmor profile to drydock

Change-Id: I50be2f08e69123afbef136683134abffc4e44197
2 years ago · 67716a7841
4 changed files with 16 additions and 5 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -23,14 +23,12 @@
        - airship-drydock-chart-build-latest-htk
        - airship-drydock-docker-build-gate-ubuntu_xenial
        - airship-drydock-docker-build-gate-ubuntu_bionic
-
    gate:
      jobs:
        - airship-drydock-omni-test
        - airship-drydock-chart-build-gate
        - airship-drydock-docker-build-gate-ubuntu_xenial
        - airship-drydock-docker-build-gate-ubuntu_bionic
-
    post:
      jobs:
        - airship-drydock-docker-publish-ubuntu_xenial
@ -41,7 +39,7 @@
    name: airship-drydock-single-node
    nodes:
      - name: primary
-        label: ubuntu-xenial
+        label: ubuntu-bionic

 - job:
    name: airship-drydock-omni-test
@ -49,7 +47,9 @@
      Run a set of lightweight lints and tests
      (pep8, Helm chart lint, Sphinx build, Python unit tests, Bandit scan)
    run: tools/gate/playbooks/omni_test.yaml
-    timeout: 900
+    required-projects:
+      - openstack/openstack-helm-infra
+    timeout: 3600
    nodeset: airship-drydock-single-node

 - job:
@ -141,7 +141,6 @@
          commit: true
        static:
          - latest
-
 - secret:
    name: airship_drydock_quay_creds
    data:
--- a/charts/drydock/templates/deployment.yaml
+++ b/charts/drydock/templates/deployment.yaml
@ -37,6 +37,7 @@ spec:
 {{ $labels | indent 8 }}
      annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "drydock-api" "containerNames" (list "drydock-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
--- a/charts/drydock/values.yaml
+++ b/charts/drydock/values.yaml
@ -58,6 +58,10 @@ network:
        nginx.ingress.kubernetes.io/rewrite-target: /

 pod:
+  mandatory_access_control:
+    type: apparmor
+    drydock-api:
+      drydock-api: runtime/default
  security_context:
    drydock:
      pod:
--- a/tools/gate/playbooks/omni_test.yaml
+++ b/tools/gate/playbooks/omni_test.yaml
@ -47,3 +47,10 @@
        target: run_drydock
      register: result
      become: true
+    - name: Setup Apparmor
+      shell: |
+        set -xe;
+        ./tools/deployment/apparmor/001-setup-apparmor-profiles.sh
+      args:
+        chdir: "{{ zuul.projects['opendev.org/openstack/openstack-helm-infra'].src_dir }}"
+        executable: /bin/bash