Add Docker default AppArmor profile to drydock
Change-Id: I50be2f08e69123afbef136683134abffc4e44197
This commit is contained in:
parent
2a02bc9b3f
commit
67716a7841
|
@ -23,14 +23,12 @@
|
||||||
- airship-drydock-chart-build-latest-htk
|
- airship-drydock-chart-build-latest-htk
|
||||||
- airship-drydock-docker-build-gate-ubuntu_xenial
|
- airship-drydock-docker-build-gate-ubuntu_xenial
|
||||||
- airship-drydock-docker-build-gate-ubuntu_bionic
|
- airship-drydock-docker-build-gate-ubuntu_bionic
|
||||||
|
|
||||||
gate:
|
gate:
|
||||||
jobs:
|
jobs:
|
||||||
- airship-drydock-omni-test
|
- airship-drydock-omni-test
|
||||||
- airship-drydock-chart-build-gate
|
- airship-drydock-chart-build-gate
|
||||||
- airship-drydock-docker-build-gate-ubuntu_xenial
|
- airship-drydock-docker-build-gate-ubuntu_xenial
|
||||||
- airship-drydock-docker-build-gate-ubuntu_bionic
|
- airship-drydock-docker-build-gate-ubuntu_bionic
|
||||||
|
|
||||||
post:
|
post:
|
||||||
jobs:
|
jobs:
|
||||||
- airship-drydock-docker-publish-ubuntu_xenial
|
- airship-drydock-docker-publish-ubuntu_xenial
|
||||||
|
@ -41,7 +39,7 @@
|
||||||
name: airship-drydock-single-node
|
name: airship-drydock-single-node
|
||||||
nodes:
|
nodes:
|
||||||
- name: primary
|
- name: primary
|
||||||
label: ubuntu-xenial
|
label: ubuntu-bionic
|
||||||
|
|
||||||
- job:
|
- job:
|
||||||
name: airship-drydock-omni-test
|
name: airship-drydock-omni-test
|
||||||
|
@ -49,7 +47,9 @@
|
||||||
Run a set of lightweight lints and tests
|
Run a set of lightweight lints and tests
|
||||||
(pep8, Helm chart lint, Sphinx build, Python unit tests, Bandit scan)
|
(pep8, Helm chart lint, Sphinx build, Python unit tests, Bandit scan)
|
||||||
run: tools/gate/playbooks/omni_test.yaml
|
run: tools/gate/playbooks/omni_test.yaml
|
||||||
timeout: 900
|
required-projects:
|
||||||
|
- openstack/openstack-helm-infra
|
||||||
|
timeout: 3600
|
||||||
nodeset: airship-drydock-single-node
|
nodeset: airship-drydock-single-node
|
||||||
|
|
||||||
- job:
|
- job:
|
||||||
|
@ -141,7 +141,6 @@
|
||||||
commit: true
|
commit: true
|
||||||
static:
|
static:
|
||||||
- latest
|
- latest
|
||||||
|
|
||||||
- secret:
|
- secret:
|
||||||
name: airship_drydock_quay_creds
|
name: airship_drydock_quay_creds
|
||||||
data:
|
data:
|
||||||
|
|
|
@ -37,6 +37,7 @@ spec:
|
||||||
{{ $labels | indent 8 }}
|
{{ $labels | indent 8 }}
|
||||||
annotations:
|
annotations:
|
||||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||||
|
{{ dict "envAll" $envAll "podName" "drydock-api" "containerNames" (list "drydock-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
|
|
|
@ -58,6 +58,10 @@ network:
|
||||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||||
|
|
||||||
pod:
|
pod:
|
||||||
|
mandatory_access_control:
|
||||||
|
type: apparmor
|
||||||
|
drydock-api:
|
||||||
|
drydock-api: runtime/default
|
||||||
security_context:
|
security_context:
|
||||||
drydock:
|
drydock:
|
||||||
pod:
|
pod:
|
||||||
|
|
|
@ -47,3 +47,10 @@
|
||||||
target: run_drydock
|
target: run_drydock
|
||||||
register: result
|
register: result
|
||||||
become: true
|
become: true
|
||||||
|
- name: Setup Apparmor
|
||||||
|
shell: |
|
||||||
|
set -xe;
|
||||||
|
./tools/deployment/apparmor/001-setup-apparmor-profiles.sh
|
||||||
|
args:
|
||||||
|
chdir: "{{ zuul.projects['opendev.org/openstack/openstack-helm-infra'].src_dir }}"
|
||||||
|
executable: /bin/bash
|
||||||
|
|
Loading…
Reference in New Issue