Browse Source

Apparmor profile for MaaS

All containers were already running in non-privileged
containers except region-controller and rack-controller.
Both of those require privileged containers but
can still function with the docker-default apparmor
profile applied.

This PS uses the new, more generic HTK snippet name
(see https://review.openstack.org/613703).

Change-Id: Icaa720f05b18f4264ae7098b427fe5f639cba2c6
Crank, Daniel (dc6350) 6 months ago
parent
commit
2aaca3f60b

+ 1
- 0
charts/maas/templates/statefulset-rack.yaml View File

@@ -42,6 +42,7 @@ spec:
42 42
       annotations:
43 43
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
44 44
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
45
+{{ dict "envAll" $envAll "podName" "maas-rack" "containerNames" (list "maas-rack") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
45 46
     spec:
46 47
       serviceAccountName: {{ $serviceAccountName }}
47 48
       affinity:

+ 1
- 0
charts/maas/templates/statefulset-region.yaml View File

@@ -36,6 +36,7 @@ spec:
36 36
       labels:
37 37
 {{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
38 38
       annotations:
39
+{{ dict "envAll" $envAll "podName" "maas-region" "containerNames" (list "maas-region") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
39 40
     spec:
40 41
       serviceAccountName: {{ $serviceAccountName }}
41 42
       affinity:

+ 6
- 0
charts/maas/values.yaml View File

@@ -230,6 +230,12 @@ secrets:
230 230
   ssh_key: ssh-private-key
231 231
 
232 232
 pod:
233
+  mandatory_access_control:
234
+    type: apparmor
235
+    maas-rack:
236
+      maas-rack: localhost/docker-default
237
+    maas-region:
238
+      maas-region: localhost/docker-default
233 239
   affinity:
234 240
     anti:
235 241
       type:

+ 1
- 1
tools/helm_tk.sh View File

@@ -18,7 +18,7 @@
18 18
 HELM=$1
19 19
 HTK_REPO=${HTK_REPO:-"https://github.com/openstack/openstack-helm-infra"}
20 20
 HTK_PATH=${HTK_PATH:-""}
21
-HTK_STABLE_COMMIT=${HTK_COMMIT:-"4cd00f3ac539f625e7cd9733ae46232b2082027a"}
21
+HTK_STABLE_COMMIT=${HTK_COMMIT:-"5316586d9efeec2c1e2c5f282fc03b51c3fee9aa"}
22 22
 DEP_UP_LIST=${DEP_UP_LIST:-"maas"}
23 23
 
24 24
 if [[ ! -z $(echo $http_proxy) ]]

Loading…
Cancel
Save