From d4d4d7f4867edab19a5023c4fe427d5ad398128f Mon Sep 17 00:00:00 2001 From: diwakar thyagaraj Date: Tue, 26 Nov 2019 21:00:30 +0000 Subject: [PATCH] Enable runtime-default Apparmor Profile to Openstack-Utility Container. This PS also adds Gate jobs to check docker default apparmor for utility Containers. Change-Id: I32fbf16291a4f4df06d0cc23c8235de0420a044a --- .../templates/deployment-utility.yaml | 4 +- charts/openstack-utility/values.yaml | 4 + .../apparmor/000-install-packages.sh | 28 +++++++ .../apparmor/001-setup-apparmor-profiles.sh | 7 ++ tools/deployment/apparmor/002-deploy-k8s.sh | 7 ++ .../apparmor/050-openstack-utility.sh | 84 +++++++++++++++++++ .../airship-porthole-gate-runner.yaml | 22 +++++ .../roles/osh-run-script/defaults/main.yaml | 17 ++++ .../roles/osh-run-script/tasks/main.yaml | 27 ++++++ zuul.d/base.yaml | 21 ++++- 10 files changed, 218 insertions(+), 3 deletions(-) create mode 100755 tools/deployment/apparmor/000-install-packages.sh create mode 100755 tools/deployment/apparmor/001-setup-apparmor-profiles.sh create mode 100755 tools/deployment/apparmor/002-deploy-k8s.sh create mode 100755 tools/deployment/apparmor/050-openstack-utility.sh create mode 100644 tools/gate/playbooks/airship-porthole-gate-runner.yaml create mode 100644 tools/gate/playbooks/roles/osh-run-script/defaults/main.yaml create mode 100644 tools/gate/playbooks/roles/osh-run-script/tasks/main.yaml diff --git a/charts/openstack-utility/templates/deployment-utility.yaml b/charts/openstack-utility/templates/deployment-utility.yaml index 5f87431b..e39feba6 100644 --- a/charts/openstack-utility/templates/deployment-utility.yaml +++ b/charts/openstack-utility/templates/deployment-utility.yaml @@ -67,6 +67,8 @@ spec: {{ tuple . | include "helm-toolkit.snippets.release_uuid" }} labels: {{ tuple $envAll "openstack" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ dict "envAll" $envAll "podName" "openstack-utility" "containerNames" (list "openstack-utility") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "openstack" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} @@ -75,7 +77,7 @@ spec: nodeSelector: {{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }} containers: - - name: {{ printf "%s" $envAll.Release.Name }} + - name: openstack-utility {{ tuple $envAll "openstack_utility" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.openstack_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "openstack" "container" "openstack_utility" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} diff --git a/charts/openstack-utility/values.yaml b/charts/openstack-utility/values.yaml index 833b747b..a8fd8ad5 100644 --- a/charts/openstack-utility/values.yaml +++ b/charts/openstack-utility/values.yaml @@ -34,6 +34,10 @@ pod: openstack_utility: allowPrivilegeEscalation: true readOnlyRootFilesystem: false + mandatory_access_control: + type: apparmor + openstack-utility: + openstack-utility: runtime/default dns_policy: "ClusterFirstWithHostNet" replicas: utility: 1 diff --git a/tools/deployment/apparmor/000-install-packages.sh b/tools/deployment/apparmor/000-install-packages.sh new file mode 100755 index 00000000..6bc03aca --- /dev/null +++ b/tools/deployment/apparmor/000-install-packages.sh @@ -0,0 +1,28 @@ +#!/bin/bash +set -xe + +CURRENT_DIR="$(pwd)" +: "${INSTALL_PATH:="../"}" +: "${OSH_INFRA_COMMIT:="8ba46703ee9fab0115e4b7f62ea43e0798c36872"}" +: "${CLONE_ARMADA:=true}" +: "${CLONE_DECKHAND:=true}" +: "${CLONE_SHIPYARD:=true}" + +cd ${INSTALL_PATH} + +# Clone Airship projects +if [[ ${CLONE_ARMADA} = true ]] ; then + git clone https://opendev.org/airship/armada.git +fi +if [[ ${CLONE_DECKHAND} = true ]] ; then + git clone https://opendev.org/airship/deckhand.git +fi +if [[ ${CLONE_SHIPYARD} = true ]] ; then + git clone https://opendev.org/airship/shipyard.git +fi + +# Clone dependencies +git clone https://opendev.org/openstack/openstack-helm-infra.git + +cd openstack-helm-infra +git checkout "${OSH_INFRA_COMMIT}" diff --git a/tools/deployment/apparmor/001-setup-apparmor-profiles.sh b/tools/deployment/apparmor/001-setup-apparmor-profiles.sh new file mode 100755 index 00000000..c6f89ff9 --- /dev/null +++ b/tools/deployment/apparmor/001-setup-apparmor-profiles.sh @@ -0,0 +1,7 @@ +#!/bin/bash +set -xe +CURRENT_DIR="$(pwd)" +: "${OSH_INFRA_PATH:="../openstack-helm-infra"}" + +cd "${OSH_INFRA_PATH}" +bash -c "./tools/deployment/common/001-setup-apparmor-profiles.sh" diff --git a/tools/deployment/apparmor/002-deploy-k8s.sh b/tools/deployment/apparmor/002-deploy-k8s.sh new file mode 100755 index 00000000..72299445 --- /dev/null +++ b/tools/deployment/apparmor/002-deploy-k8s.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +CURRENT_DIR="$(pwd)" +: "${OSH_INFRA_PATH:="../openstack-helm-infra"}" + +cd "${OSH_INFRA_PATH}" +bash -c "./tools/deployment/common/005-deploy-k8s.sh" diff --git a/tools/deployment/apparmor/050-openstack-utility.sh b/tools/deployment/apparmor/050-openstack-utility.sh new file mode 100755 index 00000000..6ee61e3b --- /dev/null +++ b/tools/deployment/apparmor/050-openstack-utility.sh @@ -0,0 +1,84 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +set -xe +kubectl label nodes --all openstack-helm-node-class=primary --overwrite +namespace="utility" + +cd /tmp +git clone https://git.openstack.org/openstack/openstack-helm-infra.git || true +cd openstack-helm-infra +git reset --hard 200b5e902b3a176fbfbe669b6a10a254c9b50f5d +make helm-toolkit + +cd /home/zuul/src/opendev.org/airship/porthole/charts/openstack-utility/ +mkdir charts +cp -r /tmp/openstack-helm-infra/helm-toolkit-0.1.0.tgz /home/zuul/src/opendev.org/airship/porthole/charts/openstack-utility/charts +cd /home/zuul/src/opendev.org/airship/porthole/charts + +kubectl get pods --all-namespaces +sleep 120 + +helm upgrade --install openstack-utility ./openstack-utility --namespace=$namespace \ +# NOTE: Validate Deployment and User. + +sleep 180 +kubectl get pods --namespace=$namespace | grep openstack-utility +ouc_pod=$(kubectl get pods --namespace=$namespace --selector="application=openstack" --no-headers | awk '{ print $1; exit }') +unsorted_process_file="/tmp/unsorted_proc_list" +sorted_process_file="/tmp/proc_list" +expected_profile="docker-default (enforce)" +kubectl describe pod $ouc_pod -n utility + +#Below can be used for multiple Processes.Grab the processes (numbered directories) from the /proc directory, +# and then sort them. Highest proc number indicates most recent process. +#kubectl -n $namespace exec $ouc_pod -- ls -1 /proc | grep -e "^[0-9]*$" > $unsorted_process_file +#sort --numeric-sort $unsorted_process_file > $sorted_process_file + +# The last/latest process in the list will actually be the "ls" command above, +# which isn't running any more, so remove it. +#sed -i '$ d' $sorted_process_file + +#while IFS='' read -r process || [[ -n "$process" ]]; do + #echo "Process ID: $process" + #proc_name=`kubectl -n $namespace exec $ouc_pod -- cat /proc/$process/status | grep "Name:" | awk -F' ' '{print $2}'` + #echo "Process Name: $proc_name" +# profile=`kubectl -n $namespace exec $ouc_pod -- cat /proc/1/attr/current` +# echo "Profile running: $profile" +# if test "$profile" != "$expected_profile" +# then +# if test "$proc_name" == "pause" +# then +# echo "Root process (pause) can run docker-default, it's ok." +# else +# echo "$profile is the WRONG PROFILE!!" +# return 1 +# fi +# fi +#done < $sorted_process_file + +profile=`kubectl -n $namespace exec $ouc_pod -- cat /proc/1/attr/current` +echo "Profile running: $profile" + if test "$profile" != "$expected_profile" + then + if test "$proc_name" == "pause" + then + echo "Root process (pause) can run docker-default, it's ok." + else + echo "$profile is the WRONG PROFILE!!" + return 1 + fi + fi diff --git a/tools/gate/playbooks/airship-porthole-gate-runner.yaml b/tools/gate/playbooks/airship-porthole-gate-runner.yaml new file mode 100644 index 00000000..a8b92df2 --- /dev/null +++ b/tools/gate/playbooks/airship-porthole-gate-runner.yaml @@ -0,0 +1,22 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- hosts: primary + tasks: + - name: Run gate scripts + include_role: + name: osh-run-script + vars: + gate_script_path: "{{ item }}" + with_items: "{{ gate_scripts }}" diff --git a/tools/gate/playbooks/roles/osh-run-script/defaults/main.yaml b/tools/gate/playbooks/roles/osh-run-script/defaults/main.yaml new file mode 100644 index 00000000..17499949 --- /dev/null +++ b/tools/gate/playbooks/roles/osh-run-script/defaults/main.yaml @@ -0,0 +1,17 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +osh_params: + openstack_release: newton + container_distro_name: ubuntu + container_distro_version: bionic + #feature_gates: diff --git a/tools/gate/playbooks/roles/osh-run-script/tasks/main.yaml b/tools/gate/playbooks/roles/osh-run-script/tasks/main.yaml new file mode 100644 index 00000000..a64ed173 --- /dev/null +++ b/tools/gate/playbooks/roles/osh-run-script/tasks/main.yaml @@ -0,0 +1,27 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: "Run script {{ gate_script_path }}" + shell: | + set -xe; + {{ gate_script_path }} + args: + chdir: "{{ zuul.project.src_dir }}" + environment: + zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}" + OSH_EXTRA_HELM_ARGS: "{{ zuul_osh_extra_helm_args_relative_path | default('') }}" + OSH_PATH: "{{ zuul_osh_relative_path | default('../openstack-helm/') }}" + OSH_INFRA_PATH: "{{ zuul_osh_infra_relative_path | default('../openstack-helm-infra/') }}" + OPENSTACK_RELEASE: "{{ osh_params.openstack_release }}" + CONTAINER_DISTRO_NAME: "{{ osh_params.container_distro_name }}" + CONTAINER_DISTRO_VERSION: "{{ osh_params.container_distro_version }}" + FEATURE_GATES: "{{ osh_params.feature_gates | default('') }}" diff --git a/zuul.d/base.yaml b/zuul.d/base.yaml index afc734ad..6264e024 100644 --- a/zuul.d/base.yaml +++ b/zuul.d/base.yaml @@ -11,6 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +# - project: check: @@ -23,6 +24,8 @@ - airship-porthole-images-build-gate-mysqlclient-utility - airship-porthole-images-build-gate-openstack-utility - airship-porthole-images-build-gate-postgresql-utility + - airship-porthole-apparmor + gate: jobs: - airship-porthole-linter @@ -33,6 +36,7 @@ - airship-porthole-images-build-gate-mysqlclient-utility - airship-porthole-images-build-gate-openstack-utility - airship-porthole-images-build-gate-postgresql-utility + - airship-porthole-apparmor post: jobs: @@ -43,12 +47,12 @@ - airship-porthole-images-publish-mysqlclient-utility - airship-porthole-images-publish-openstack-utility - airship-porthole-images-publish-postgresql-utility - + - airship-porthole-apparmor - nodeset: name: airship-porthole-single-node nodes: - name: primary - label: ubuntu-xenial + label: ubuntu-bionic - job: name: airship-porthole-images @@ -99,3 +103,16 @@ JXcwlGoK6kvXmYaG2c7yEiH2xNtTzVTai10fsalubQWR4FTmJA5LU9+HatHBa46XLy4gS vMHs2uJudmxhqLIhs5Er248FVjfxw7le5dPun3ir4J7Mjgypu5y8eLCMZAFIwpeqlJrVU uih8ByaTlSEh6FBzle7Hb330RjSztC4pX6xiNAmtkpxhF2rEEFS66B/ixwCphQ= + +- job: + name: airship-porthole-apparmor + description: Checks Pods for Apparmor profile + timeout: 7200 + run: tools/gate/playbooks/airship-porthole-gate-runner.yaml + nodeset: airship-porthole-single-node + vars: + gate_scripts: + - ./tools/deployment/apparmor/000-install-packages.sh + - ./tools/deployment/apparmor/001-setup-apparmor-profiles.sh + - ./tools/deployment/apparmor/002-deploy-k8s.sh + - ./tools/deployment/apparmor/050-openstack-utility.sh