From c1a7ba3a11e02cd5c940bdcd5f733c8d78e1524f Mon Sep 17 00:00:00 2001
From: Sreejith Punnapuzha <Sreejith.Punnapuzha@outlook.com>
Date: Mon, 24 May 2021 23:13:27 -0500
Subject: [PATCH] Add apparmor support to Hostconfig-operator

This commit adds apparmor support to hostconfig-operator. with this
apparmor support we can add/remove custom apparmor profiles to every
nodes managed via hostconfig-operator.

Signed-off-by: Sreejith Punnapuzha <Sreejith.Punnapuzha@outlook.com>
Change-Id: I018d96c50e2557da72874a553cfef43b331aa079
---
 README.md                                     |  3 ++
 ...tconfig.airshipit.org_hostconfigs_crd.yaml | 15 +++++++
 .../roles/apparmor/handlers/main.yml          |  6 +++
 .../roles/apparmor/tasks/main.yml             | 39 +++++++++++++++++++
 demo_examples/example_apparmor.yaml           | 25 ++++++++++++
 docs/Overview.md                              |  1 +
 6 files changed, 89 insertions(+)
 create mode 100644 airship-host-config/roles/apparmor/handlers/main.yml
 create mode 100644 airship-host-config/roles/apparmor/tasks/main.yml
 create mode 100644 demo_examples/example_apparmor.yaml

diff --git a/README.md b/README.md
index 13b85a8..c5dfdc0 100644
--- a/README.md
+++ b/README.md
@@ -197,6 +197,9 @@ be executed on the kubernetes nodes.
 exec: Array object specifying list of scripts along with arguments
 and environment variables that can be executed on the nodes.
 
+apparmor: Array object specifying the apparmor profile that need to be
+applied on kubernetes nodes.
+
 The demo_examples folder has some examples listed which can be
 used to initially to play with the above variables
 
diff --git a/airship-host-config/deploy/crds/hostconfig.airshipit.org_hostconfigs_crd.yaml b/airship-host-config/deploy/crds/hostconfig.airshipit.org_hostconfigs_crd.yaml
index 3e35f24..4f06a89 100644
--- a/airship-host-config/deploy/crds/hostconfig.airshipit.org_hostconfigs_crd.yaml
+++ b/airship-host-config/deploy/crds/hostconfig.airshipit.org_hostconfigs_crd.yaml
@@ -74,6 +74,21 @@ spec:
               type: object
               description: "The configuration details that needs to be performed on the targeted kubernetes nodes."
               properties:
+                apparmor:
+                  description: "An array of apparmor configuration to be performed on the target nodes."
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      filename:
+                        type: string
+                      profile:
+                        type: string
+                      state:
+                        type: string
+                    required:
+                      - filename
+                      - state
                 exec:
                   description: "An array of script configuration that would be executed on the target nodes"
                   type: array
diff --git a/airship-host-config/roles/apparmor/handlers/main.yml b/airship-host-config/roles/apparmor/handlers/main.yml
new file mode 100644
index 0000000..1a787b0
--- /dev/null
+++ b/airship-host-config/roles/apparmor/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: apparmor reload
+  service:
+    name: apparmor
+    state: reloaded
+  become: yes
diff --git a/airship-host-config/roles/apparmor/tasks/main.yml b/airship-host-config/roles/apparmor/tasks/main.yml
new file mode 100644
index 0000000..ffc602d
--- /dev/null
+++ b/airship-host-config/roles/apparmor/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+- name: install > Packages
+  package:
+    name: apparmor
+    state: present
+  become: yes
+
+- name: configs > Ensures destination directories exists
+  file:
+    path: /etc/apparmor.d
+    state: directory
+    recurse: true
+    owner: root
+    group: root
+    mode: "0755"
+  become: yes
+
+- name: configs > Create files
+  copy:
+    content: "{{ item.profile }}"
+    dest: "/etc/apparmor.d/{{ item.filename }}"
+    owner: root
+    group: root
+    mode: "0644"
+  when: item.state|default('present') != 'absent'
+  with_items: "{{ config.apparmor }}"
+  become: yes
+  notify:
+    - apparmor reload
+
+- name: configs > Remove files
+  file:
+    path: "/etc/apparmor.d/{{ item.filename }}"
+    state: absent
+  when: item.state|default('present') == 'absent'
+  with_items: "{{ config.apparmor }}"
+  become: yes
+  notify:
+    - apparmor reload
diff --git a/demo_examples/example_apparmor.yaml b/demo_examples/example_apparmor.yaml
new file mode 100644
index 0000000..ddba3f1
--- /dev/null
+++ b/demo_examples/example_apparmor.yaml
@@ -0,0 +1,25 @@
+# This CR when executed configures the passed sysctl and ulimit
+# configuration on the kubernetes master nodes.
+
+apiVersion: hostconfig.airshipit.org/v1alpha1
+kind: HostConfig
+metadata:
+  name: example-apparmor
+spec:
+  host_groups:
+   - name: "kubernetes.io/hostname"
+     values:
+      - "hostconfig-control-plane"
+  config:
+   apparmor:
+     - filename: bin.example.sh
+       profile: |
+         #include <tunables/global>
+         #
+         /bin/example.sh {
+           #include <abstractions/base>
+           #
+           /bin/example.sh r,
+           deny /tmp/sample.txt w,
+         }
+       state: present
diff --git a/docs/Overview.md b/docs/Overview.md
index 5948311..cf81885 100644
--- a/docs/Overview.md
+++ b/docs/Overview.md
@@ -45,6 +45,7 @@ with expiration detail.
 * Added support to upgrade packages and restart the corresponding services
 Current implementation supports installing/upgrading docker, containerd and apache2.
 It also supports installing python3-openstackclient and python3-novaclient binaries.
+* Added support to apply custom apparmor profiles to kubernetes nodes
 
 ## Architecture