diff --git a/charts/shipyard/templates/deployment-shipyard.yaml b/charts/shipyard/templates/deployment-shipyard.yaml index c3486c94..a301763d 100644 --- a/charts/shipyard/templates/deployment-shipyard.yaml +++ b/charts/shipyard/templates/deployment-shipyard.yaml @@ -44,6 +44,7 @@ spec: shipyard-configmap-etc-hash: {{ tuple "configmap-shipyard-etc.yaml" . | include "helm-toolkit.utils.hash" }} airflow-configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }} airflow-configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }} +{{ dict "envAll" $envAll "podName" "shipyard-api" "containerNames" (list "shipyard-api" "airflow-web") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "shipyard" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/charts/shipyard/templates/statefulset-airflow-worker.yaml b/charts/shipyard/templates/statefulset-airflow-worker.yaml index cae23c15..b9fb90f8 100644 --- a/charts/shipyard/templates/statefulset-airflow-worker.yaml +++ b/charts/shipyard/templates/statefulset-airflow-worker.yaml @@ -86,6 +86,7 @@ spec: {{ $labels | indent 8 }} annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} +{{ dict "envAll" $envAll "podName" "airflow-worker" "containerNames" (list "airflow-worker" "airflow-scheduler" "airflow-logrotate") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} affinity: diff --git a/charts/shipyard/values.yaml b/charts/shipyard/values.yaml index a4185488..3fd83cd5 100644 --- a/charts/shipyard/values.yaml +++ b/charts/shipyard/values.yaml @@ -717,6 +717,15 @@ conf: #Shipyard is not using this # End of Airflow config options pod: + mandatory_access_control: + type: apparmor + shipyard-api: + shipyard-api: runtime/default + airflow-web: runtime/default + airflow-worker: + airflow-worker: runtime/default + airflow-scheduler: runtime/default + airflow-logrotate: runtime/default security_context: shipyard: pod: diff --git a/tools/gate/playbooks/airskiff-deploy.yaml b/tools/gate/playbooks/airskiff-deploy.yaml index 47fa30d3..bcfbe87d 100644 --- a/tools/gate/playbooks/airskiff-deploy.yaml +++ b/tools/gate/playbooks/airskiff-deploy.yaml @@ -31,15 +31,15 @@ args: chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}" - - name: Deploy Kubernetes with Minikube + - name: Setup AppArmor shell: | - ./tools/deployment/airskiff/developer/010-deploy-k8s.sh + ./tools/deployment/airskiff/developer/009-setup-apparmor.sh args: chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}" - - name: Setup AppArmor + - name: Deploy Kubernetes with Minikube shell: | - ./tools/deployment/airskiff/developer/015-setup-apparmor.sh + ./tools/deployment/airskiff/developer/010-deploy-k8s.sh args: chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}"