From 2aaca3f60bbee0d3eb1acde1f0eaa5295b622cb7 Mon Sep 17 00:00:00 2001 From: "Crank, Daniel (dc6350)" Date: Tue, 23 Oct 2018 13:19:31 -0500 Subject: [PATCH] Apparmor profile for MaaS All containers were already running in non-privileged containers except region-controller and rack-controller. Both of those require privileged containers but can still function with the docker-default apparmor profile applied. This PS uses the new, more generic HTK snippet name (see https://review.openstack.org/613703). Change-Id: Icaa720f05b18f4264ae7098b427fe5f639cba2c6 --- charts/maas/templates/statefulset-rack.yaml | 1 + charts/maas/templates/statefulset-region.yaml | 1 + charts/maas/values.yaml | 6 ++++++ tools/helm_tk.sh | 2 +- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/charts/maas/templates/statefulset-rack.yaml b/charts/maas/templates/statefulset-rack.yaml index 47a5cba..ea1dd0b 100644 --- a/charts/maas/templates/statefulset-rack.yaml +++ b/charts/maas/templates/statefulset-rack.yaml @@ -42,6 +42,7 @@ spec: annotations: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} +{{ dict "envAll" $envAll "podName" "maas-rack" "containerNames" (list "maas-rack") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} affinity: diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml index 7593761..a165118 100644 --- a/charts/maas/templates/statefulset-region.yaml +++ b/charts/maas/templates/statefulset-region.yaml @@ -36,6 +36,7 @@ spec: labels: {{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} annotations: +{{ dict "envAll" $envAll "podName" "maas-region" "containerNames" (list "maas-region") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} affinity: diff --git a/charts/maas/values.yaml b/charts/maas/values.yaml index f9a2c01..1facbdf 100644 --- a/charts/maas/values.yaml +++ b/charts/maas/values.yaml @@ -230,6 +230,12 @@ secrets: ssh_key: ssh-private-key pod: + mandatory_access_control: + type: apparmor + maas-rack: + maas-rack: localhost/docker-default + maas-region: + maas-region: localhost/docker-default affinity: anti: type: diff --git a/tools/helm_tk.sh b/tools/helm_tk.sh index 9e3e6a3..e0b6a93 100755 --- a/tools/helm_tk.sh +++ b/tools/helm_tk.sh @@ -18,7 +18,7 @@ HELM=$1 HTK_REPO=${HTK_REPO:-"https://github.com/openstack/openstack-helm-infra"} HTK_PATH=${HTK_PATH:-""} -HTK_STABLE_COMMIT=${HTK_COMMIT:-"4cd00f3ac539f625e7cd9733ae46232b2082027a"} +HTK_STABLE_COMMIT=${HTK_COMMIT:-"5316586d9efeec2c1e2c5f282fc03b51c3fee9aa"} DEP_UP_LIST=${DEP_UP_LIST:-"maas"} if [[ ! -z $(echo $http_proxy) ]]