From 344c0543faf30ed3e1cf19b869545ef07d9f5d83 Mon Sep 17 00:00:00 2001 From: diwakar thyagaraj Date: Mon, 17 Feb 2020 02:18:37 +0000 Subject: [PATCH] Enable runtime Apparmor default for All Ceph Components Change-Id: Id62fe453846ffe6ab01198177d5d8046378d61bf Signed-off-by: diwakar thyagaraj --- ceph-client/templates/deployment-checkdns.yaml | 1 + ceph-client/templates/deployment-mds.yaml | 2 +- ceph-client/templates/deployment-mgr.yaml | 2 +- ceph-client/templates/job-rbd-pool.yaml | 2 ++ ceph-client/values_overrides/apparmor.yaml | 16 ++++++++++++++++ ceph-mon/templates/daemonset-mon.yaml | 1 + ceph-mon/templates/deployment-moncheck.yaml | 2 +- ceph-mon/templates/job-storage-admin-keys.yaml | 5 +++++ ceph-mon/values_overrides/apparmor.yaml | 15 +++++++++++++++ ceph-osd/templates/daemonset-osd.yaml | 2 +- ceph-osd/values_overrides/apparmor.yaml | 9 +++++++++ .../templates/deployment-cephfs-provisioner.yaml | 1 + .../templates/deployment-rbd-provisioner.yaml | 1 + .../templates/job-cephfs-client-key.yaml | 2 ++ ceph-provisioners/values_overrides/apparmor.yaml | 11 +++++++++++ tools/deployment/common/get-values-overrides.sh | 2 +- 16 files changed, 69 insertions(+), 5 deletions(-) create mode 100644 ceph-client/values_overrides/apparmor.yaml create mode 100644 ceph-mon/values_overrides/apparmor.yaml create mode 100644 ceph-osd/values_overrides/apparmor.yaml create mode 100644 ceph-provisioners/values_overrides/apparmor.yaml diff --git a/ceph-client/templates/deployment-checkdns.yaml b/ceph-client/templates/deployment-checkdns.yaml index 9a64285d1..14bc97033 100644 --- a/ceph-client/templates/deployment-checkdns.yaml +++ b/ceph-client/templates/deployment-checkdns.yaml @@ -68,6 +68,7 @@ spec: {{ tuple $envAll "ceph" "checkdns" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} +{{ dict "envAll" $envAll "podName" "ceph-checkdns" "containerNames" (list "ceph-checkdns" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "checkdns" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ceph-client/templates/deployment-mds.yaml b/ceph-client/templates/deployment-mds.yaml index 340673604..5de290261 100644 --- a/ceph-client/templates/deployment-mds.yaml +++ b/ceph-client/templates/deployment-mds.yaml @@ -43,7 +43,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }} -{{ dict "envAll" $envAll "podName" "ceph-mds" "containerNames" (list "ceph-mds") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{ dict "envAll" $envAll "podName" "ceph-mds" "containerNames" (list "ceph-mds" "ceph-init-dirs") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "mds" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ceph-client/templates/deployment-mgr.yaml b/ceph-client/templates/deployment-mgr.yaml index b4fd216ac..1c785af4b 100644 --- a/ceph-client/templates/deployment-mgr.yaml +++ b/ceph-client/templates/deployment-mgr.yaml @@ -43,7 +43,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }} -{{ dict "envAll" $envAll "podName" "ceph-mgr" "containerNames" (list "ceph-mgr") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{ dict "envAll" $envAll "podName" "ceph-mgr" "containerNames" (list "ceph-mgr" "ceph-init-dirs") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "mgr" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ceph-client/templates/job-rbd-pool.yaml b/ceph-client/templates/job-rbd-pool.yaml index 7e5e2d6be..55a3f77e0 100644 --- a/ceph-client/templates/job-rbd-pool.yaml +++ b/ceph-client/templates/job-rbd-pool.yaml @@ -32,6 +32,8 @@ spec: name: ceph-rbd-pool labels: {{ tuple $envAll "ceph" "rbd-pool" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ dict "envAll" $envAll "podName" "ceph-rbd-pool" "containerNames" (list "ceph-rbd-pool" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "rbd_pool" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ceph-client/values_overrides/apparmor.yaml b/ceph-client/values_overrides/apparmor.yaml new file mode 100644 index 000000000..f4a76523c --- /dev/null +++ b/ceph-client/values_overrides/apparmor.yaml @@ -0,0 +1,16 @@ +pod: + mandatory_access_control: + type: apparmor + ceph-checkdns: + ceph-checkdns: runtime/default + init: runtime/default + ceph-mds: + ceph-mds: runtime/default + ceph-init-dirs: runtime/default + ceph-mgr: + ceph-mgr: runtime/default + ceph-init-dirs: runtime/default + ceph-rbd-pool: + ceph-rbd-pool: runtime/default + init: runtime/default + diff --git a/ceph-mon/templates/daemonset-mon.yaml b/ceph-mon/templates/daemonset-mon.yaml index 16daae512..db273f926 100644 --- a/ceph-mon/templates/daemonset-mon.yaml +++ b/ceph-mon/templates/daemonset-mon.yaml @@ -68,6 +68,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} +{{ dict "envAll" $envAll "podName" "ceph-mon" "containerNames" (list "ceph-mon" "ceph-init-dirs" "ceph-log-ownership") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "mon" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ceph-mon/templates/deployment-moncheck.yaml b/ceph-mon/templates/deployment-moncheck.yaml index 4a9e869a9..fb4892de2 100644 --- a/ceph-mon/templates/deployment-moncheck.yaml +++ b/ceph-mon/templates/deployment-moncheck.yaml @@ -39,7 +39,7 @@ spec: {{ tuple $envAll "ceph" "moncheck" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} -{{ dict "envAll" $envAll "podName" "ceph-mon" "containerNames" (list "ceph-mon") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{ dict "envAll" $envAll "podName" "ceph-mon-check" "containerNames" (list "ceph-mon" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "moncheck" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ceph-mon/templates/job-storage-admin-keys.yaml b/ceph-mon/templates/job-storage-admin-keys.yaml index a069213cd..c13cad080 100644 --- a/ceph-mon/templates/job-storage-admin-keys.yaml +++ b/ceph-mon/templates/job-storage-admin-keys.yaml @@ -58,6 +58,11 @@ spec: metadata: labels: {{ tuple $envAll "ceph" "storage-keys-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} +{{ dict "envAll" $envAll "podName" "ceph-storage-keys-generator" "containerNames" (list "ceph-storage-keys-generator" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "storage_keys_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ceph-mon/values_overrides/apparmor.yaml b/ceph-mon/values_overrides/apparmor.yaml new file mode 100644 index 000000000..8fb4e088d --- /dev/null +++ b/ceph-mon/values_overrides/apparmor.yaml @@ -0,0 +1,15 @@ +pod: + mandatory_access_control: + type: apparmor + ceph-mon: + ceph-init-dirs: runtime/default + ceph-mon: runtime/default + ceph-log-ownership: runtime/default + ceph-mon-check: + ceph-mon: runtime/default + init: runtime/default + ceph-bootstrap: + ceph-bootstrap: runtime/default + ceph-storage-keys-generator: + ceph-storage-keys-generator: runtime/default + init: runtime/default diff --git a/ceph-osd/templates/daemonset-osd.yaml b/ceph-osd/templates/daemonset-osd.yaml index 8ec6c3149..2349bc028 100644 --- a/ceph-osd/templates/daemonset-osd.yaml +++ b/ceph-osd/templates/daemonset-osd.yaml @@ -41,7 +41,7 @@ spec: {{ tuple $envAll "ceph" "osd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} annotations: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} -{{ dict "envAll" $envAll "podName" "ceph-osd-default" "containerNames" (list "ceph-osd-default") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{ dict "envAll" $envAll "podName" "ceph-osd-default" "containerNames" (list "ceph-osd-default" "ceph-init-dirs" "ceph-log-ownership" "osd-init" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "osd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} diff --git a/ceph-osd/values_overrides/apparmor.yaml b/ceph-osd/values_overrides/apparmor.yaml new file mode 100644 index 000000000..fe69ae85c --- /dev/null +++ b/ceph-osd/values_overrides/apparmor.yaml @@ -0,0 +1,9 @@ +pod: + mandatory_access_control: + type: apparmor + ceph-osd-default: + ceph-osd-default: runtime/default + ceph-init-dirs: runtime/default + ceph-log-ownership: runtime/default + osd-init: runtime/default + init: runtime/default diff --git a/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml b/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml index 316f697cb..f848e77ab 100644 --- a/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml +++ b/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml @@ -152,6 +152,7 @@ spec: {{ tuple $envAll "cephfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} +{{ dict "envAll" $envAll "podName" "ceph-cephfs-provisioner" "containerNames" (list "ceph-cephfs-provisioner" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ceph-provisioners/templates/deployment-rbd-provisioner.yaml b/ceph-provisioners/templates/deployment-rbd-provisioner.yaml index df9dc30c4..fbb4ec746 100644 --- a/ceph-provisioners/templates/deployment-rbd-provisioner.yaml +++ b/ceph-provisioners/templates/deployment-rbd-provisioner.yaml @@ -142,6 +142,7 @@ spec: {{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} +{{ dict "envAll" $envAll "podName" "ceph-rbd-provisioner" "containerNames" (list "ceph-rbd-provisioner" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ceph-provisioners/templates/job-cephfs-client-key.yaml b/ceph-provisioners/templates/job-cephfs-client-key.yaml index f166ccb2f..a2233e5aa 100644 --- a/ceph-provisioners/templates/job-cephfs-client-key.yaml +++ b/ceph-provisioners/templates/job-cephfs-client-key.yaml @@ -89,6 +89,8 @@ spec: metadata: labels: {{ tuple $envAll "ceph" "cephfs-client-key-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ dict "envAll" $envAll "podName" "ceph-cephfs-client-key-generator" "containerNames" (list "ceph-storage-keys-generator") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "cephfs_client_key_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ceph-provisioners/values_overrides/apparmor.yaml b/ceph-provisioners/values_overrides/apparmor.yaml new file mode 100644 index 000000000..055724ebb --- /dev/null +++ b/ceph-provisioners/values_overrides/apparmor.yaml @@ -0,0 +1,11 @@ +pod: + mandatory_access_control: + type: apparmor + ceph-cephfs-provisioner: + ceph-cephfs-provisioner: runtime/default + init: runtime/default + ceph-cephfs-client-key-generator: + ceph-storage-keys-generator: runtime/default + ceph-rbd-provisioner: + ceph-rbd-provisioner: runtime/default + init: runtime/default diff --git a/tools/deployment/common/get-values-overrides.sh b/tools/deployment/common/get-values-overrides.sh index c497e30e0..8e685ed02 100755 --- a/tools/deployment/common/get-values-overrides.sh +++ b/tools/deployment/common/get-values-overrides.sh @@ -19,7 +19,7 @@ HELM_CHART="$1" : "${HELM_CHART_ROOT_PATH:="../openstack-helm-infra"}" : "${CONTAINER_DISTRO_NAME:="ubuntu"}" : "${CONTAINER_DISTRO_VERSION:="xenial"}" -: "${FEATURE_GATES:=""}" +: "${FEATURE_GATES:="apparmor"}" OSH_INFRA_FEATURE_MIX="${FEATURE_GATES},${CONTAINER_DISTRO_NAME}_${CONTAINER_DISTRO_VERSION},${CONTAINER_DISTRO_NAME}" function echoerr () {