airship/maas
Code Issues Proposed changes

Apparmor profile for MaaS

Browse Source 
All containers were already running in non-privileged
containers except region-controller and rack-controller.
Both of those require privileged containers but
can still function with the docker-default apparmor
profile applied.

This PS uses the new, more generic HTK snippet name
(see https://review.openstack.org/613703).

Change-Id: Icaa720f05b18f4264ae7098b427fe5f639cba2c6
This commit is contained in:
Crank, Daniel (dc6350) 2018-10-23 13:19:31 -05:00
parent 9b527b4b99
commit 2aaca3f60b
4 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
charts/maas/templates/statefulset-rack.yaml
View File

@ -42,6 +42,7 @@ spec:
annotations: annotations:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "maas-rack" "containerNames" (list "maas-rack") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec: spec:
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
affinity: affinity:

1
charts/maas/templates/statefulset-region.yaml
View File

@ -36,6 +36,7 @@ spec:
labels: labels:
{{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations: annotations:
{{ dict "envAll" $envAll "podName" "maas-region" "containerNames" (list "maas-region") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec: spec:
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
affinity: affinity:

6
charts/maas/values.yaml
View File

@ -230,6 +230,12 @@ secrets:
ssh_key: ssh-private-key ssh_key: ssh-private-key
pod: pod:
mandatory_access_control:
type: apparmor
maas-rack:
maas-rack: localhost/docker-default
maas-region:
maas-region: localhost/docker-default
affinity: affinity:
anti: anti:
type: type:

2
tools/helm_tk.sh
View File

@ -18,7 +18,7 @@
HELM=$1 HELM=$1
HTK_REPO=${HTK_REPO:-"https://github.com/openstack/openstack-helm-infra"} HTK_REPO=${HTK_REPO:-"https://github.com/openstack/openstack-helm-infra"}
HTK_PATH=${HTK_PATH:-""} HTK_PATH=${HTK_PATH:-""}
HTK_STABLE_COMMIT=${HTK_COMMIT:-"4cd00f3ac539f625e7cd9733ae46232b2082027a"} HTK_STABLE_COMMIT=${HTK_COMMIT:-"5316586d9efeec2c1e2c5f282fc03b51c3fee9aa"}
DEP_UP_LIST=${DEP_UP_LIST:-"maas"} DEP_UP_LIST=${DEP_UP_LIST:-"maas"}
if [[ ! -z $(echo $http_proxy) ]] if [[ ! -z $(echo $http_proxy) ]]