Apparmor profile for MaaS

All containers were already running in non-privileged
containers except region-controller and rack-controller.
Both of those require privileged containers but
can still function with the docker-default apparmor
profile applied.

This PS uses the new, more generic HTK snippet name
(see https://review.openstack.org/613703).

Change-Id: Icaa720f05b18f4264ae7098b427fe5f639cba2c6
This commit is contained in:
Crank, Daniel (dc6350) 2018-10-23 13:19:31 -05:00
parent 9b527b4b99
commit 2aaca3f60b
4 changed files with 9 additions and 1 deletions

View File

@ -42,6 +42,7 @@ spec:
annotations:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "maas-rack" "containerNames" (list "maas-rack") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
affinity:

View File

@ -36,6 +36,7 @@ spec:
labels:
{{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "maas-region" "containerNames" (list "maas-region") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
affinity:

View File

@ -230,6 +230,12 @@ secrets:
ssh_key: ssh-private-key
pod:
mandatory_access_control:
type: apparmor
maas-rack:
maas-rack: localhost/docker-default
maas-region:
maas-region: localhost/docker-default
affinity:
anti:
type:

View File

@ -18,7 +18,7 @@
HELM=$1
HTK_REPO=${HTK_REPO:-"https://github.com/openstack/openstack-helm-infra"}
HTK_PATH=${HTK_PATH:-""}
HTK_STABLE_COMMIT=${HTK_COMMIT:-"4cd00f3ac539f625e7cd9733ae46232b2082027a"}
HTK_STABLE_COMMIT=${HTK_COMMIT:-"5316586d9efeec2c1e2c5f282fc03b51c3fee9aa"}
DEP_UP_LIST=${DEP_UP_LIST:-"maas"}
if [[ ! -z $(echo $http_proxy) ]]