Apparmor profile for MaaS

All containers were already running in non-privileged containers except region-controller and rack-controller. Both of those require privileged containers but can still function with the docker-default apparmor profile applied. This PS uses the new, more generic HTK snippet name (see https://review.openstack.org/613703). Change-Id: Icaa720f05b18f4264ae7098b427fe5f639cba2c6
2018-10-23 13:19:31 -05:00 · 2018-10-23 13:19:31 -05:00 · 2aaca3f60b
commit 2aaca3f60b
parent 9b527b4b99
4 changed files with 9 additions and 1 deletions
--- a/charts/maas/templates/statefulset-rack.yaml
+++ b/charts/maas/templates/statefulset-rack.yaml
@ -42,6 +42,7 @@ spec:
      annotations:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "maas-rack" "containerNames" (list "maas-rack") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      affinity:
--- a/charts/maas/templates/statefulset-region.yaml
+++ b/charts/maas/templates/statefulset-region.yaml
@ -36,6 +36,7 @@ spec:
      labels:
 {{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
      annotations:
+{{ dict "envAll" $envAll "podName" "maas-region" "containerNames" (list "maas-region") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      affinity:
--- a/charts/maas/values.yaml
+++ b/charts/maas/values.yaml
@ -230,6 +230,12 @@ secrets:
  ssh_key: ssh-private-key

 pod:
+  mandatory_access_control:
+    type: apparmor
+    maas-rack:
+      maas-rack: localhost/docker-default
+    maas-region:
+      maas-region: localhost/docker-default
  affinity:
    anti:
      type:
--- a/tools/helm_tk.sh
+++ b/tools/helm_tk.sh
@ -18,7 +18,7 @@
 HELM=$1
 HTK_REPO=${HTK_REPO:-"https://github.com/openstack/openstack-helm-infra"}
 HTK_PATH=${HTK_PATH:-""}
-HTK_STABLE_COMMIT=${HTK_COMMIT:-"4cd00f3ac539f625e7cd9733ae46232b2082027a"}
+HTK_STABLE_COMMIT=${HTK_COMMIT:-"5316586d9efeec2c1e2c5f282fc03b51c3fee9aa"}
 DEP_UP_LIST=${DEP_UP_LIST:-"maas"}

 if [[ ! -z $(echo $http_proxy) ]]