Add apparmor support to Hostconfig-operator

This commit adds apparmor support to hostconfig-operator. with this
apparmor support we can add/remove custom apparmor profiles to every
nodes managed via hostconfig-operator.

Signed-off-by: Sreejith Punnapuzha <Sreejith.Punnapuzha@outlook.com>
Change-Id: I018d96c50e2557da72874a553cfef43b331aa079

README.md

@@ -197,6 +197,9 @@ be executed on the kubernetes nodes.
 exec: Array object specifying list of scripts along with arguments
 and environment variables that can be executed on the nodes.
 
+apparmor: Array object specifying the apparmor profile that need to be
+applied on kubernetes nodes.
+
 The demo_examples folder has some examples listed which can be
 used to initially to play with the above variables
 

airship-host-config/deploy/crds/hostconfig.airshipit.org_hostconfigs_crd.yaml

@@ -74,6 +74,21 @@ spec:
               type: object
               description: "The configuration details that needs to be performed on the targeted kubernetes nodes."
               properties:
+                apparmor:
+                  description: "An array of apparmor configuration to be performed on the target nodes."
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      filename:
+                        type: string
+                      profile:
+                        type: string
+                      state:
+                        type: string
+                    required:
+                      - filename
+                      - state
                 exec:
                   description: "An array of script configuration that would be executed on the target nodes"
                   type: array

airship-host-config/roles/apparmor/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: apparmor reload
+  service:
+    name: apparmor
+    state: reloaded
+  become: yes

airship-host-config/roles/apparmor/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+- name: install > Packages
+  package:
+    name: apparmor
+    state: present
+  become: yes
+
+- name: configs > Ensures destination directories exists
+  file:
+    path: /etc/apparmor.d
+    state: directory
+    recurse: true
+    owner: root
+    group: root
+    mode: "0755"
+  become: yes
+
+- name: configs > Create files
+  copy:
+    content: "{{ item.profile }}"
+    dest: "/etc/apparmor.d/{{ item.filename }}"
+    owner: root
+    group: root
+    mode: "0644"
+  when: item.state|default('present') != 'absent'
+  with_items: "{{ config.apparmor }}"
+  become: yes
+  notify:
+    - apparmor reload
+
+- name: configs > Remove files
+  file:
+    path: "/etc/apparmor.d/{{ item.filename }}"
+    state: absent
+  when: item.state|default('present') == 'absent'
+  with_items: "{{ config.apparmor }}"
+  become: yes
+  notify:
+    - apparmor reload

demo_examples/example_apparmor.yaml

@@ -0,0 +1,25 @@
+# This CR when executed configures the passed sysctl and ulimit
+# configuration on the kubernetes master nodes.
+
+apiVersion: hostconfig.airshipit.org/v1alpha1
+kind: HostConfig
+metadata:
+  name: example-apparmor
+spec:
+  host_groups:
+   - name: "kubernetes.io/hostname"
+     values:
+      - "hostconfig-control-plane"
+  config:
+   apparmor:
+     - filename: bin.example.sh
+       profile: |
+         #include <tunables/global>
+         #
+         /bin/example.sh {
+           #include <abstractions/base>
+           #
+           /bin/example.sh r,
+           deny /tmp/sample.txt w,
+         }
+       state: present

docs/Overview.md

@@ -45,6 +45,7 @@ with expiration detail.
 * Added support to upgrade packages and restart the corresponding services
 Current implementation supports installing/upgrading docker, containerd and apache2.
 It also supports installing python3-openstackclient and python3-novaclient binaries.
+* Added support to apply custom apparmor profiles to kubernetes nodes
 
 ## Architecture