Add apparmor support to Hostconfig-operator
This commit adds apparmor support to hostconfig-operator. with this apparmor support we can add/remove custom apparmor profiles to every nodes managed via hostconfig-operator. Signed-off-by: Sreejith Punnapuzha <Sreejith.Punnapuzha@outlook.com> Change-Id: I018d96c50e2557da72874a553cfef43b331aa079
This commit is contained in:
parent
5013bfc23b
commit
c1685f11a1
|
@ -74,6 +74,21 @@ spec:
|
||||||
type: object
|
type: object
|
||||||
description: "The configuration details that needs to be performed on the targeted kubernetes nodes."
|
description: "The configuration details that needs to be performed on the targeted kubernetes nodes."
|
||||||
properties:
|
properties:
|
||||||
|
apparmor:
|
||||||
|
description: "An array of apparmor configuration to be performed on the target nodes."
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
filename:
|
||||||
|
type: string
|
||||||
|
profile:
|
||||||
|
type: string
|
||||||
|
state:
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- filename
|
||||||
|
- state
|
||||||
exec:
|
exec:
|
||||||
description: "An array of script configuration that would be executed on the target nodes"
|
description: "An array of script configuration that would be executed on the target nodes"
|
||||||
type: array
|
type: array
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
- name: apparmor reload
|
||||||
|
service:
|
||||||
|
name: apparmor
|
||||||
|
state: reloaded
|
||||||
|
become: yes
|
|
@ -0,0 +1,39 @@
|
||||||
|
---
|
||||||
|
- name: install > Packages
|
||||||
|
package:
|
||||||
|
name: apparmor
|
||||||
|
state: present
|
||||||
|
become: yes
|
||||||
|
|
||||||
|
- name: configs > Ensures destination directories exists
|
||||||
|
file:
|
||||||
|
path: /etc/apparmor.d
|
||||||
|
state: directory
|
||||||
|
recurse: true
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0755"
|
||||||
|
become: yes
|
||||||
|
|
||||||
|
- name: configs > Create files
|
||||||
|
copy:
|
||||||
|
content: "{{ item.profile }}"
|
||||||
|
dest: "/etc/apparmor.d/{{ item.filename }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
when: item.state|default('present') != 'absent'
|
||||||
|
with_items: "{{ config.apparmor }}"
|
||||||
|
become: yes
|
||||||
|
notify:
|
||||||
|
- apparmor reload
|
||||||
|
|
||||||
|
- name: configs > Remove files
|
||||||
|
file:
|
||||||
|
path: "/etc/apparmor.d/{{ item.filename }}"
|
||||||
|
state: absent
|
||||||
|
when: item.state|default('present') == 'absent'
|
||||||
|
with_items: "{{ config.apparmor }}"
|
||||||
|
become: yes
|
||||||
|
notify:
|
||||||
|
- apparmor reload
|
|
@ -0,0 +1,25 @@
|
||||||
|
# This CR when executed configures the passed sysctl and ulimit
|
||||||
|
# configuration on the kubernetes master nodes.
|
||||||
|
|
||||||
|
apiVersion: hostconfig.airshipit.org/v1alpha1
|
||||||
|
kind: HostConfig
|
||||||
|
metadata:
|
||||||
|
name: example-apparmor
|
||||||
|
spec:
|
||||||
|
host_groups:
|
||||||
|
- name: "kubernetes.io/hostname"
|
||||||
|
values:
|
||||||
|
- "hostconfig-control-plane"
|
||||||
|
config:
|
||||||
|
apparmor:
|
||||||
|
- filename: bin.example.sh
|
||||||
|
profile: |
|
||||||
|
#include <tunables/global>
|
||||||
|
#
|
||||||
|
/bin/example.sh {
|
||||||
|
#include <abstractions/base>
|
||||||
|
#
|
||||||
|
/bin/example.sh r,
|
||||||
|
deny /tmp/sample.txt w,
|
||||||
|
}
|
||||||
|
state: present
|
|
@ -0,0 +1,68 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
set -xe
|
||||||
|
|
||||||
|
export TIMEOUT=${TIMEOUT:-3600}
|
||||||
|
export AIRSHIP_HOSTCONFIG=${AIRSHIP_HOSTCONFIG:-$PWD}
|
||||||
|
|
||||||
|
check_status(){
|
||||||
|
hostconfig=$1
|
||||||
|
end=$(($(date +%s) + $TIMEOUT))
|
||||||
|
while true; do
|
||||||
|
# Getting the failed and unreachable nodes status
|
||||||
|
failures=$(kubectl get hostconfig $hostconfig -o jsonpath='{.status.ansibleSummary.failures}')
|
||||||
|
unreachable=$(kubectl get hostconfig $hostconfig -o jsonpath='{.status.ansibleSummary.unreachable}')
|
||||||
|
if [[ $failures == "map[]" && $unreachable == "map[]" ]]; then
|
||||||
|
kubectl get hostconfig $hostconfig -o json
|
||||||
|
hosts=$2
|
||||||
|
ok=$(kubectl get hostconfig $hostconfig -o json | jq '.status.ansibleSummary.ok | keys')
|
||||||
|
hostNames=$(kubectl get hostconfig $hostconfig -o json | jq '.status.hostConfigStatus | keys')
|
||||||
|
ok_array=${ok[@]}
|
||||||
|
hostNames_array=${hostNames[@]}
|
||||||
|
# Checking if all hosts has executed
|
||||||
|
if [ "$hosts" == "$ok_array" ] && [ "$hosts" == "$hostNames_array" ]; then
|
||||||
|
if [[ `sudo docker exec $3 bash -c "echo 'touch /tmp/sample.txt' >> /bin/example.sh; chmod +x /bin/example.sh; /bin/example.sh; ls /tmp/sample.txt"` ]]; then
|
||||||
|
echo "$hostconfig hostconfig executed successfully"
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
echo "$hostconfig hostconfig execution failed!"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# Failing the execution is the hosts hasn't matched.
|
||||||
|
echo "$hostconfig hostconfig execution failed!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
elif [ -z "$failures" ] && [ -z "$unreachable" ]; then
|
||||||
|
# Waiting for the HostConfig CR status till timeout is reached.
|
||||||
|
now=$(date +%s)
|
||||||
|
if [ $now -gt $end ]; then
|
||||||
|
kubectl get hostconfig $hostconfig -o json
|
||||||
|
echo -e "HostConfig CR execution not completed even after timeout"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# Failing the execution if the HostConfig CR object execution has failed.
|
||||||
|
kubectl get hostconfig $hostconfig -o json
|
||||||
|
echo "HostConfig CR execution failed"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
sleep 30
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# Checking HostConfig CR packages installation
|
||||||
|
kubectl apply -f $AIRSHIP_HOSTCONFIG/demo_examples/example_apparmor.yaml
|
||||||
|
check_status example-apparmor '[ "hostconfig-control-plane" ]' "hostconfig-control-plane"
|
Loading…
Reference in New Issue