openstack/openstack-helm
Code Issues Proposed changes

Use security_context for apparmor

Browse Source 
Starting with kubernetes 1.30 apparmor profiles are specified in the
security_context instead of annotations:

https://kubernetes.io/docs/tutorials/security/apparmor/

This PS:

1: updates apparmor value overrides to use security_context
2: removes apparmor annotations from top level values where found
3: removes non apparmor values from apparmor value overrides where found

End users can still use annotations by setting values appropriately.

Change-Id: I2c1a473e81d0904cbb1f96ee6ffb08b0d68e8651
This commit is contained in:
Ritchie, Frank (fr801x)
2025-06-05 15:12:30 -04:00
parent 3d085c4a62
commit 062261562f
57 changed files with 1452 additions and 917 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
elasticsearch/values.yaml
View File

@ -142,16 +142,6 @@ pod:
master: null
gateway: null
secrets: null
mandatory_access_control:
type: apparmor
elasticsearch-master:
elasticsearch-master: runtime/default
elasticsearch-data:
elasticsearch-data: runtime/default
elasticsearch-client:
elasticsearch-client: runtime/default
elasticsearch-gateway:
elasticsearch-gateway: runtime/default
security_context:
exporter:
pod:

5
etcd/values.yaml
View File

@ -82,11 +82,6 @@ pod:
capabilities:
drop:
- ALL
mandatory_access_control:
type: apparmor
etcd:
init: runtime/default
etcd: runtime/default
probes:
etcd:
etcd:

4
kubernetes-keystone-webhook/values.yaml
View File

@ -56,10 +56,6 @@ pod:
kubernetes_keystone_webhook:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
mandatory_access_control:
type: apparmor
kubernetes-keystone-webhook:
kubernetes-keystone-webhook: runtime/default
affinity:
anti:
type:

5
releasenotes/notes/common-76e452ae14eb3707.yaml Normal file
View File

@ -0,0 +1,5 @@
---
features:
- |
Update apparmor values to use security_context instead of annotations.
...

24
values_overrides/barbican/apparmor.yaml
View File

@ -1,11 +1,19 @@
---
pod:
mandatory_access_control:
type: apparmor
barbican-api:
barbican-api: runtime/default
init: runtime/default
barbican-test:
init: runtime/default
barbican-test: runtime/default
security_context:
barbican:
container:
barbican_api:
appArmorProfile:
type: RuntimeDefault
test:
container:
barbican_test:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

56
values_overrides/ceph-client/apparmor.yaml
View File

@ -1,25 +1,37 @@
---
pod:
mandatory_access_control:
type: apparmor
ceph-checkdns:
ceph-checkdns: runtime/default
init: runtime/default
ceph-mds:
ceph-mds: runtime/default
ceph-init-dirs: runtime/default
ceph-rbd-pool:
ceph-rbd-pool: runtime/default
init: runtime/default
ceph-client-bootstrap:
ceph-client-bootstrap: runtime/default
init: runtime/default
ceph-client-test:
init: runtime/default
ceph-cluster-helm-test: runtime/default
bootstrap:
enabled: true
manifests:
job_bootstrap: true
security_context:
checkdns:
container:
checkdns:
appArmorProfile:
type: RuntimeDefault
mds:
container:
mds:
appArmorProfile:
type: RuntimeDefault
init_dirs:
appArmorProfile:
type: RuntimeDefault
rbd_pool:
container:
rbd_pool:
appArmorProfile:
type: RuntimeDefault
bootstrap:
container:
bootstrap:
appArmorProfile:
type: RuntimeDefault
test:
container:
test:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

95
values_overrides/ceph-mon/apparmor.yaml
View File

@ -1,39 +1,62 @@
---
pod:
mandatory_access_control:
type: apparmor
ceph-mon:
ceph-init-dirs: runtime/default
ceph-mon: runtime/default
ceph-log-ownership: runtime/default
ceph-mgr:
ceph-mgr: runtime/default
ceph-init-dirs: runtime/default
ceph-mon-check:
ceph-mon: runtime/default
init: runtime/default
ceph-bootstrap:
ceph-bootstrap: runtime/default
init: runtime/default
ceph-storage-keys-generator:
ceph-storage-keys-generator: runtime/default
init: runtime/default
ceph-mon-keyring-generator:
ceph-mon-keyring-generator: runtime/default
init: runtime/default
ceph-mgr-keyring-generator:
init: runtime/default
ceph-mgr-keyring-generator: runtime/default
ceph-mds-keyring-generator:
init: runtime/default
ceph-mds-keyring-generator: runtime/default
ceph-osd-keyring-generator:
ceph-osd-keyring-generator: runtime/default
init: runtime/default
ceph-mon-post-apply:
ceph-mon-post-apply: runtime/default
bootstrap:
enabled: true
manifests:
job_bootstrap: true
security_context:
mon:
container:
ceph_mon:
appArmorProfile:
type: RuntimeDefault
ceph_init_dirs:
appArmorProfile:
type: RuntimeDefault
ceph_log_ownership:
appArmorProfile:
type: RuntimeDefault
mgr:
container:
mgr:
appArmorProfile:
type: RuntimeDefault
init_dirs:
appArmorProfile:
type: RuntimeDefault
moncheck:
container:
ceph_mon:
appArmorProfile:
type: RuntimeDefault
bootstrap:
container:
ceph_bootstrap:
appArmorProfile:
type: RuntimeDefault
storage_keys_generator:
container:
ceph_storage_keys_generator:
appArmorProfile:
type: RuntimeDefault
ceph:
container:
ceph_mon_keyring_generator:
appArmorProfile:
type: RuntimeDefault
ceph_mgr_keyring_generator:
appArmorProfile:
type: RuntimeDefault
ceph_mds_keyring_generator:
appArmorProfile:
type: RuntimeDefault
ceph_osd_keyring_generator:
appArmorProfile:
type: RuntimeDefault
post_apply:
container:
ceph_mon_post_apply:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

52
values_overrides/ceph-osd/apparmor.yaml
View File

@ -1,22 +1,36 @@
---
pod:
mandatory_access_control:
type: apparmor
ceph-osd-default:
ceph-osd-default: runtime/default
log-runner: runtime/default
ceph-init-dirs: runtime/default
ceph-log-ownership: runtime/default
osd-init: runtime/default
init: runtime/default
ceph-osd-test:
init: runtime/default
ceph-cluster-helm-test: runtime/default
ceph-osd-post-apply:
ceph-osd-post-apply: runtime/default
init: runtime/default
lifecycle:
upgrades:
daemonsets:
pod_replacement_strategy: OnDelete
security_context:
osd:
container:
osd_pod:
appArmorProfile:
type: RuntimeDefault
log_runner:
appArmorProfile:
type: RuntimeDefault
ceph_init_dirs:
appArmorProfile:
type: RuntimeDefault
ceph_log_ownership:
appArmorProfile:
type: RuntimeDefault
osd_init:
appArmorProfile:
type: RuntimeDefault
test:
container:
ceph_cluster_helm_test:
appArmorProfile:
type: RuntimeDefault
post_apply:
container:
ceph_osd_post_apply:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

74
values_overrides/ceph-provisioners/apparmor.yaml
View File

@ -1,31 +1,49 @@
---
pod:
mandatory_access_control:
type: apparmor
ceph-cephfs-client-key-generator:
ceph-storage-keys-generator: runtime/default
init: runtime/default
ceph-rbd-csi-provisioner:
ceph-rbd-provisioner: runtime/default
init: runtime/default
ceph-rbd-snapshotter: runtime/default
ceph-rbd-attacher: runtime/default
csi-resizer: runtime/default
csi-rbdplugin: runtime/default
ceph-provisioner-test:
init: runtime/default
ceph-provisioner-helm-test: runtime/default
ceph-osh-infra-config-test:
init: runtime/default
ceph-provisioner-helm-test: runtime/default
ceph-provisioners-ceph-ns-key-generator:
ceph-storage-keys-generator: runtime/default
init: runtime/default
ceph-rbd-plugin:
driver-registrar: runtime/default
csi-rbdplugin: runtime/default
init: runtime/default
deployment:
client_secrets: true
security_context:
cephfs_client_key_generator:
container:
ceph_storage_keys_generator:
appArmorProfile:
type: RuntimeDefault
provisioner:
container:
ceph_rbd_provisioner:
appArmorProfile:
type: RuntimeDefault
ceph_rbd_snapshotter:
appArmorProfile:
type: RuntimeDefault
ceph_rbd_attacher:
appArmorProfile:
type: RuntimeDefault
ceph_rbd_resizer:
appArmorProfile:
type: RuntimeDefault
ceph_rbd_cephcsi:
appArmorProfile:
type: RuntimeDefault
test:
container:
test:
appArmorProfile:
type: RuntimeDefault
client_key_generator:
container:
ceph_storage_keys_generator:
appArmorProfile:
type: RuntimeDefault
plugin:
container:
ceph_rbd_registrar:
appArmorProfile:
type: RuntimeDefault
ceph_csi_rbd_plugin:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

81
values_overrides/ceph-rgw/apparmor.yaml
View File

@ -1,35 +1,52 @@
---
pod:
mandatory_access_control:
type: apparmor
ceph-rgw:
init: runtime/default
ceph-rgw: runtime/default
ceph-init-dirs: runtime/default
ceph-rgw-init: runtime/default
ceph-rgw-bootstrap:
ceph-keyring-placement: runtime/default
init: runtime/default
ceph-rgw-bootstrap: runtime/default
ceph-rgw-storage-init:
ceph-keyring-placement: runtime/default
init: runtime/default
ceph-rgw-storage-init: runtime/default
ceph-rgw-s3-admin:
ceph-keyring-placement: runtime/default
init: runtime/default
create-s3-admin: runtime/default
ceph-rgw-pool:
ceph-rgw-pool: runtime/default
init: runtime/default
ceph-rgw-test:
ceph-rgw-ks-validation: runtime/default
ceph-rgw-s3-validation: runtime/default
conf:
rgw_s3:
enabled: true
bootstrap:
enabled: true
manifests:
job_bootstrap: true
security_context:
rgw:
container:
rgw:
appArmorProfile:
type: RuntimeDefault
init_dirs:
appArmorProfile:
type: RuntimeDefault
rgw_init:
appArmorProfile:
type: RuntimeDefault
bootstrap:
container:
bootstrap:
appArmorProfile:
type: RuntimeDefault
keyring_placement:
appArmorProfile:
type: RuntimeDefault
rgw_storage_init:
container:
rgw_storage_init:
appArmorProfile:
type: RuntimeDefault
keyring_placement:
appArmorProfile:
type: RuntimeDefault
rgw_s3_admin:
container:
create_s3_admin:
appArmorProfile:
type: RuntimeDefault
keyring_placement:
appArmorProfile:
type: RuntimeDefault
rgw_pool:
container:
rgw_pool:
appArmorProfile:
type: RuntimeDefault
rgw_test:
container:
ceph_rgw_ks_validation:
appArmorProfile:
type: RuntimeDefault
ceph_rgw_s3_validation:
appArmorProfile:
type: RuntimeDefault
...

88
values_overrides/cinder/apparmor.yaml
View File

@ -1,35 +1,59 @@
---
pod:
mandatory_access_control:
type: apparmor
cinder-api:
cinder-api: runtime/default
ceph-coordination-volume-perms: runtime/default
init: runtime/default
cinder-backup:
cinder-backup: runtime/default
ceph-coordination-volume-perms: runtime/default
init: runtime/default
cinder-scheduler:
cinder-scheduler: runtime/default
ceph-coordination-volume-perms: runtime/default
init: runtime/default
cinder-volume:
cinder-volume: runtime/default
ceph-coordination-volume-perms: runtime/default
init-cinder-conf: runtime/default
init: runtime/default
cinder-backup-storage-init:
cinder-backup-storage-init: runtime/default
init: runtime/default
cinder-test:
init: runtime/default
cinder-test: runtime/default
cinder-test-ks-user: runtime/default
cinder-create-internal-tenant:
init: runtime/default
create-internal-tenant: runtime/default
cinder-volume-usage-audit:
cinder-volume-usage-audit: runtime/default
init: runtime/default
security_context:
cinder_api:
container:
cinder_api:
appArmorProfile:
type: RuntimeDefault
ceph_coordination_volume_perms:
appArmorProfile:
type: RuntimeDefault
cinder_backup:
container:
cinder_backup:
appArmorProfile:
type: RuntimeDefault
ceph_coordination_volume_perms:
appArmorProfile:
type: RuntimeDefault
cinder_scheduler:
container:
cinder_scheduler:
appArmorProfile:
type: RuntimeDefault
ceph_coordination_volume_perms:
appArmorProfile:
type: RuntimeDefault
cinder_volume:
container:
cinder_volume:
appArmorProfile:
type: RuntimeDefault
ceph_coordination_volume_perms:
appArmorProfile:
type: RuntimeDefault
init_cinder_conf:
appArmorProfile:
type: RuntimeDefault
storage_init:
container:
cinder_backup_storage_init:
appArmorProfile:
type: RuntimeDefault
create_internal_tenant:
container:
create_internal_tenant:
appArmorProfile:
type: RuntimeDefault
volume_usage_audit:
container:
cinder_volume_usage_audit:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

10
values_overrides/daemonjob-controller/apparmor.yaml
View File

@ -1,7 +1,9 @@
---
pod:
mandatory_access_control:
type: apparmor
daemonjob-controller:
controller: runtime/default
security_context:
daemonjob_controller:
container:
controller:
appArmorProfile:
type: RuntimeDefault
...

16
values_overrides/elastic-apm-server/apparmor.yaml
View File

@ -1,8 +1,14 @@
---
pod:
mandatory_access_control:
type: apparmor
elastic-apm-server:
init: runtime/default
elastic-apm-server: runtime/default
security_context:
elastic_apm_server:
container:
elastic_apm_server:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

14
values_overrides/elastic-filebeat/apparmor.yaml
View File

@ -1,8 +1,14 @@
---
pod:
mandatory_access_control:
type: apparmor
security_context:
filebeat:
filebeat: runtime/default
init: runtime/default
container:
filebeat:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

90
values_overrides/elasticsearch/apparmor.yaml
View File

@ -1,34 +1,62 @@
---
pod:
env:
client: null
data: null
master: null
mandatory_access_control:
type: apparmor
elasticsearch-master:
elasticsearch-master: runtime/default
init: runtime/default
memory-map-increase: runtime/default
elasticsearch-data:
elasticsearch-data: runtime/default
init: runtime/default
memory-map-increase: runtime/default
elasticsearch-client:
elasticsearch-client: runtime/default
init: runtime/default
memory-map-increase: runtime/default
apache-proxy: runtime/default
prometheus-elasticsearch-exporter:
elasticsearch-exporter: runtime/default
init: runtime/default
elasticsearch-test:
init: runtime/default
elasticsearch-helm-tests: runtime/default
create-elasticsearch-templates:
create-elasticsearch-templates: runtime/default
init: runtime/default
elasticsearch-verify-repositories:
elasticsearch-verify-repositories: runtime/default
init: runtime/default
security_context:
master:
container:
elasticsearch_master:
appArmorProfile:
type: RuntimeDefault
elasticsearch_perms:
appArmorProfile:
type: RuntimeDefault
memory_map_increase:
appArmorProfile:
type: RuntimeDefault
data:
container:
elasticsearch_data:
appArmorProfile:
type: RuntimeDefault
elasticsearch_perms:
appArmorProfile:
type: RuntimeDefault
memory_map_increase:
appArmorProfile:
type: RuntimeDefault
client:
container:
elasticsearch_client:
appArmorProfile:
type: RuntimeDefault
memory_map_increase:
appArmorProfile:
type: RuntimeDefault
apache_proxy:
appArmorProfile:
type: RuntimeDefault
exporter:
container:
elasticsearch_exporter:
appArmorProfile:
type: RuntimeDefault
test:
container:
helm_tests:
appArmorProfile:
type: RuntimeDefault
create_template:
container:
create_elasticsearch_template:
appArmorProfile:
type: RuntimeDefault
verify_repositories:
container:
elasticsearch_verify_repositories:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

14
values_overrides/fluentd/apparmor.yaml
View File

@ -1,8 +1,14 @@
---
pod:
mandatory_access_control:
type: apparmor
security_context:
fluentd:
fluentd: runtime/default
init: runtime/default
container:
fluentd:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

54
values_overrides/glance/apparmor.yaml
View File

@ -1,22 +1,38 @@
---
pod:
mandatory_access_control:
type: apparmor
glance-api:
glance-api: runtime/default
glance-perms: runtime/default
init: runtime/default
nginx: runtime/default
glance-metadefs-load:
init: runtime/default
glance-metadefs-load: runtime/default
glance-storage-init:
init: runtime/default
glance-storage-init: runtime/default
glance-test:
init: runtime/default
glance-test: runtime/default
glance-test-ks-user: runtime/default
manifests:
certificates: true
security_context:
glance:
container:
glance_api:
appArmorProfile:
type: RuntimeDefault
glance_perms:
appArmorProfile:
type: RuntimeDefault
nginx:
appArmorProfile:
type: RuntimeDefault
metadefs_load:
container:
glance_metadefs_load:
appArmorProfile:
type: RuntimeDefault
storage_init:
container:
glance_storage_init:
appArmorProfile:
type: RuntimeDefault
test:
container:
glance_test_ks_user:
appArmorProfile:
type: RuntimeDefault
glance_test:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

66
values_overrides/grafana/apparmor.yaml
View File

@ -1,27 +1,45 @@
---
pod:
mandatory_access_control:
type: apparmor
grafana:
grafana: runtime/default
init: runtime/default
grafana-db-init-session:
grafana-db-init-session: runtime/default
init: runtime/default
grafana-db-init:
grafana-db-init: runtime/default
init: runtime/default
grafana-db-session-sync:
grafana-db-session-sync: runtime/default
init: runtime/default
grafana-set-admin-user:
grafana-set-admin-password: runtime/default
init: runtime/default
grafana-run-migrator:
grafana-run-migrator: runtime/default
prepare-grafana-migrator: runtime/default
init: runtime/default
grafana-test:
init: runtime/default
grafana-selenium-tests: runtime/default
security_context:
dashboard:
container:
grafana:
appArmorProfile:
type: RuntimeDefault
db_init:
container:
grafana_db_init_session:
appArmorProfile:
type: RuntimeDefault
grafana_db_init:
appArmorProfile:
type: RuntimeDefault
db_session_sync:
container:
grafana_db_session_sync:
appArmorProfile:
type: RuntimeDefault
set_admin_user:
container:
grafana_set_admin_password:
appArmorProfile:
type: RuntimeDefault
run_migrator:
container:
grafana_run_migrator:
appArmorProfile:
type: RuntimeDefault
prepare_grafana_migrator:
appArmorProfile:
type: RuntimeDefault
test:
container:
helm_tests:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

55
values_overrides/heat/apparmor.yaml
View File

@ -1,26 +1,35 @@
---
pod:
mandatory_access_control:
type: apparmor
heat-api:
heat-api: runtime/default
init: runtime/default
heat-cfn:
heat-cfn: runtime/default
init: runtime/default
heat-engine:
heat-engine: runtime/default
init: runtime/default
heat-engine-cleaner:
heat-engine-cleaner: runtime/default
init: runtime/default
heat-domain-ks-user:
heat-ks-domain-user: runtime/default
init: runtime/default
heat-trusts:
heat-trusts: runtime/default
init: runtime/default
heat-purge-deleted:
heat-purge-deleted: runtime/default
init: runtime/default
security_context:
heat:
container:
heat_api:
appArmorProfile:
type: RuntimeDefault
heat_cfn:
appArmorProfile:
type: RuntimeDefault
heat_engine:
appArmorProfile:
type: RuntimeDefault
engine_cleaner:
container:
heat_engine_cleaner:
appArmorProfile:
type: RuntimeDefault
ks_user:
container:
heat_ks_domain_user:
appArmorProfile:
type: RuntimeDefault
trusts:
container:
heat_trusts:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

30
values_overrides/horizon/apparmor.yaml
View File

@ -1,14 +1,24 @@
---
pod:
mandatory_access_control:
type: apparmor
security_context:
horizon:
horizon: runtime/default
init: runtime/default
horizon-db-sync:
horizon-db-sync: runtime/default
init: runtime/default
horizon-test:
init: runtime/default
horizon-test: runtime/default
container:
horizon:
appArmorProfile:
type: RuntimeDefault
db_sync:
container:
horizon_db_sync:
appArmorProfile:
type: RuntimeDefault
test:
container:
horizon_test:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

54
values_overrides/keystone/apparmor.yaml
View File

@ -1,20 +1,40 @@
---
pod:
mandatory_access_control:
type: apparmor
keystone-api:
keystone-api: runtime/default
keystone-credential-setup:
keystone-credential-setup: runtime/default
keystone-fernet-setup:
keystone-fernet-setup: runtime/default
keystone-credential-cleanup:
keystone-credential-cleanup: runtime/default
keystone-domain-manage:
keystone-domain-manage: runtime/default
keystone-domain-manage-init: runtime/default
keystone-test:
init: runtime/default
keystone-test: runtime/default
keystone-test-ks-user: runtime/default
security_context:
keystone:
container:
keystone_api:
appArmorProfile:
type: RuntimeDefault
credential_setup:
container:
keystone_credential_setup:
appArmorProfile:
type: RuntimeDefault
fernet_setup:
container:
keystone_fernet_setup:
appArmorProfile:
type: RuntimeDefault
domain_manage:
container:
keystone_domain_manage:
appArmorProfile:
type: RuntimeDefault
keystone_domain_manage_init:
appArmorProfile:
type: RuntimeDefault
test:
container:
keystone_test:
appArmorProfile:
type: RuntimeDefault
keystone_test_ks_user:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

36
values_overrides/kibana/apparmor.yaml
View File

@ -1,15 +1,27 @@
---
pod:
mandatory_access_control:
type: apparmor
kibana:
kibana: runtime/default
init: runtime/default
apache-proxy: runtime/default
register-kibana-indexes:
register-kibana-indexes: runtime/default
init: runtime/default
flush-kibana-metadata:
flush-kibana-metadata: runtime/default
init: runtime/default
security_context:
dashboard:
container:
kibana:
appArmorProfile:
type: RuntimeDefault
apache_proxy:
appArmorProfile:
type: RuntimeDefault
register_kibana_indexes:
container:
register_kibana_indexes:
appArmorProfile:
type: RuntimeDefault
flush_kibana_metadata:
container:
flush_kibana_metadata:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

16
values_overrides/kubernetes-node-problem-detector/apparmor.yaml
View File

@ -1,8 +1,14 @@
---
pod:
mandatory_access_control:
type: apparmor
node-problem-detector:
node-problem-detector: runtime/default
init: runtime/default
security_context:
node_problem_detector:
container:
node_problem_detector:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

10
values_overrides/libvirt/apparmor.yaml
View File

@ -1,7 +1,9 @@
---
pod:
mandatory_access_control:
type: apparmor
libvirt-libvirt-default:
libvirt: runtime/default
security_context:
libvirt:
container:
libvirt:
appArmorProfile:
type: RuntimeDefault
...

24
values_overrides/manila/apparmor.yaml
View File

@ -1,11 +1,19 @@
---
pod:
mandatory_access_control:
type: apparmor
manila-api:
manila-api: runtime/default
init: runtime/default
manila-test:
init: runtime/default
manila-test: runtime/default
security_context:
manila:
container:
manila_api:
appArmorProfile:
type: RuntimeDefault
test:
container:
manila_test:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

29
values_overrides/mariadb-backup/apparmor.yaml
View File

@ -1,15 +1,20 @@
---
pod:
mandatory_access_control:
type: apparmor
mariadb-backup:
init: runtime/default
mariadb-backup: runtime/default
mariadb-verify-server: runtime/default
create-sql-user:
init: runtime/default
exporter-create-sql-user: runtime/default
manifests:
cron_job_mariadb_backup: true
security_context:
mariadb_backup:
container:
mariadb_backup:
appArmorProfile:
type: RuntimeDefault
verify_perms:
appArmorProfile:
type: RuntimeDefault
backup_perms:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

45
values_overrides/mariadb-cluster/apparmor.yaml
View File

@ -1,21 +1,30 @@
---
pod:
mandatory_access_control:
type: apparmor
mariadb-server:
init-0: runtime/default
agent: runtime/default
init: runtime/default
metrics: runtime/default
mariadb: runtime/default
mariadb-test:
init: runtime/default
mariadb-test: runtime/default
refresh-statefulset:
init: runtime/default
mariadb-refresh-statefulset: runtime/default
monitoring:
prometheus:
enabled: true
security_context:
server:
container:
mariadb:
appArmorProfile:
type: RuntimeDefault
agent:
appArmorProfile:
type: RuntimeDefault
perms:
appArmorProfile:
type: RuntimeDefault
tests:
container:
test:
appArmorProfile:
type: RuntimeDefault
mariadb_cluster_refresh_statefulset:
container:
main:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

66
values_overrides/mariadb/apparmor.yaml
View File

@ -1,36 +1,36 @@
---
pod:
mandatory_access_control:
type: apparmor
mariadb-ingress-error-pages:
init: runtime/default
ingress-error-pages: runtime/default
mariadb-ingress:
init: runtime/default
ingress: runtime/default
mariadb-server:
init: runtime/default
mariadb-perms: runtime/default
mariadb: runtime/default
mariadb-backup:
init: runtime/default
mariadb-backup: runtime/default
mariadb-verify-server: runtime/default
mariadb-test:
init: runtime/default
mariadb-test: runtime/default
prometheus-mysql-exporter:
init: runtime/default
mysql-exporter: runtime/default
create-sql-user:
init: runtime/default
exporter-create-sql-user: runtime/default
monitoring:
prometheus:
enabled: true
manifests:
cron_job_mariadb_backup: true
job_ks_user: false
security_context:
server:
container:
mariadb:
appArmorProfile:
type: RuntimeDefault
exporter:
appArmorProfile:
type: RuntimeDefault
perms:
appArmorProfile:
type: RuntimeDefault
mariadb_backup:
container:
mariadb_backup:
appArmorProfile:
type: RuntimeDefault
verify_perms:
appArmorProfile:
type: RuntimeDefault
backup_perms:
appArmorProfile:
type: RuntimeDefault
tests:
container:
test:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

26
values_overrides/memcached/apparmor.yaml
View File

@ -1,15 +1,17 @@
---
pod:
mandatory_access_control:
type: apparmor
prometheus_memcached_exporter:
init: runtime/default
memcached-exporter: runtime/default
memcached:
init: runtime/default
memcached: runtime/default
monitoring:
prometheus:
enabled: false
security_context:
server:
container:
memcached:
appArmorProfile:
type: RuntimeDefault
memcached_exporter:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

8
values_overrides/metacontroller/apparmor.yaml
View File

@ -1,7 +1,9 @@
---
pod:
mandatory_access_control:
type: apparmor
security_context:
metacontroller:
metacontroller: runtime/default
container:
metacontroller:
appArmorProfile:
type: RuntimeDefault
...

30
values_overrides/nagios/apparmor.yaml
View File

@ -1,13 +1,23 @@
---
pod:
mandatory_access_control:
type: apparmor
nagios:
nagios: runtime/default
init: runtime/default
define-nagios-hosts: runtime/default
apache-proxy: runtime/default
nagios-test:
init: runtime/default
nagios-helm-tests: runtime/default
security_context:
monitoring:
container:
nagios:
appArmorProfile:
type: RuntimeDefault
define_nagios_hosts:
appArmorProfile:
type: RuntimeDefault
apache_proxy:
appArmorProfile:
type: RuntimeDefault
helm_tests:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

119
values_overrides/neutron/apparmor.yaml
View File

@ -1,44 +1,81 @@
---
pod:
mandatory_access_control:
type: apparmor
neutron-dhcp-agent-default:
neutron-dhcp-agent: runtime/default
neutron-dhcp-agent-init: runtime/default
init: runtime/default
neutron-l3-agent-default:
neutron-l3-agent: runtime/default
neutron-l3-agent-init: runtime/default
init: runtime/default
neutron-lb-agent-default:
neutron-lb-agent-default: runtime/default
neutron-metadata-agent-default:
neutron-metadata-agent: runtime/default
neutron-metadata-agent-init: runtime/default
init: runtime/default
neutron-ovs-agent-default:
neutron-ovs-agent: runtime/default
neutron-openvswitch-agent-kernel-modules: runtime/default
neutron-ovs-agent-init: runtime/default
init: runtime/default
neutron-sriov-agent-default:
neutron-sriov-agent: runtime/default
neutron-sriov-agent-init: runtime/default
init: runtime/default
neutron-netns-cleanup-cron-default:
neutron-netns-cleanup-cron: runtime/default
init: runtime/default
neutron-server:
neutron-server: runtime/default
init: runtime/default
nginx: runtime/default
neutron-rpc-server:
neutron-rpc_server: runtime/default
init: runtime/default
neutron-test:
init: runtime/default
neutron-test: runtime/default
neutron-test-ks-user: runtime/default
manifests:
certificates: true
security_context:
neutron_dhcp_agent:
container:
neutron_dhcp_agent:
appArmorProfile:
type: RuntimeDefault
neutron_dhcp_agent_init:
appArmorProfile:
type: RuntimeDefault
neutron_l3_agent:
container:
neutron_l3_agent:
appArmorProfile:
type: RuntimeDefault
neutron_l3_agent_init:
appArmorProfile:
type: RuntimeDefault
neutron_lb_agent:
container:
neutron_lb_agent:
appArmorProfile:
type: RuntimeDefault
neutron_lb_agent_init:
appArmorProfile:
type: RuntimeDefault
neutron_lb_agent_kernel_modules:
appArmorProfile:
type: RuntimeDefault
neutron_metadata_agent:
container:
neutron_metadata_agent_init:
appArmorProfile:
type: RuntimeDefault
neutron_ovs_agent:
container:
neutron_ovs_agent:
appArmorProfile:
type: RuntimeDefault
neutron_openvswitch_agent_kernel_modules:
appArmorProfile:
type: RuntimeDefault
neutron_ovs_agent_init:
appArmorProfile:
type: RuntimeDefault
netoffload:
appArmorProfile:
type: RuntimeDefault
neutron_sriov_agent:
container:
neutron_sriov_agent:
appArmorProfile:
type: RuntimeDefault
neutron_sriov_agent_init:
appArmorProfile:
type: RuntimeDefault
neutron_netns_cleanup_cron:
container:
neutron_netns_cleanup_cron:
appArmorProfile:
type: RuntimeDefault
neutron_server:
container:
neutron_server:
appArmorProfile:
type: RuntimeDefault
nginx:
appArmorProfile:
type: RuntimeDefault
neutron_rpc_server:
container:
neutron_rpc_server:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

82
values_overrides/nova/apparmor.yaml
View File

@ -1,36 +1,52 @@
---
pod:
mandatory_access_control:
type: apparmor
nova-compute-default:
nova-compute: runtime/default
init: runtime/default
nova-compute-init: runtime/default
nova-compute-vnc-init: runtime/default
nova-api-metadata:
nova-api-metadata-init: runtime/default
nova-api: runtime/default
init: runtime/default
nova-api-osapi:
nova-osapi: runtime/default
init: runtime/default
nova-conductor:
nova-conductor: runtime/default
init: runtime/default
nova-novncproxy:
nova-novncproxy: runtime/default
nova-novncproxy-init-assets: runtime/default
nova-novncproxy-init: runtime/default
init: runtime/default
nova-scheduler:
nova-scheduler: runtime/default
init: runtime/default
nova-cell-setup:
nova-cell-setup: runtime/default
nova-cell-setup-init: runtime/default
init: runtime/default
nova-test:
init: runtime/default
nova-test: runtime/default
nova-test-ks-user: runtime/default
security_context:
nova:
container:
nova_compute:
appArmorProfile:
type: RuntimeDefault
nova_compute_init:
appArmorProfile:
type: RuntimeDefault
nova_compute_vnc_init:
appArmorProfile:
type: RuntimeDefault
nova_api:
appArmorProfile:
type: RuntimeDefault
nova_api_metadata_init:
appArmorProfile:
type: RuntimeDefault
nova_osapi:
appArmorProfile:
type: RuntimeDefault
nova_conductor:
appArmorProfile:
type: RuntimeDefault
nova_novncproxy:
appArmorProfile:
type: RuntimeDefault
nova_novncproxy_init_assets:
appArmorProfile:
type: RuntimeDefault
nova_novncproxy_init:
appArmorProfile:
type: RuntimeDefault
nova_scheduler:
appArmorProfile:
type: RuntimeDefault
nova_cell_setup:
container:
nova_cell_setup:
appArmorProfile:
type: RuntimeDefault
nova_cell_setup_init:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

57
values_overrides/openstack/glance/apparmor.yaml
View File

@ -1,23 +1,38 @@
---
glance:
pod:
mandatory_access_control:
type: apparmor
glance-api:
glance-api: runtime/default
glance-perms: runtime/default
init: runtime/default
nginx: runtime/default
glance-metadefs-load:
init: runtime/default
glance-metadefs-load: runtime/default
glance-storage-init:
init: runtime/default
glance-storage-init: runtime/default
glance-test:
init: runtime/default
glance-test: runtime/default
glance-test-ks-user: runtime/default
manifests:
certificates: true
pod:
security_context:
glance:
container:
glance_api:
appArmorProfile:
type: RuntimeDefault
glance_perms:
appArmorProfile:
type: RuntimeDefault
nginx:
appArmorProfile:
type: RuntimeDefault
metadefs_load:
container:
glance_metadefs_load:
appArmorProfile:
type: RuntimeDefault
storage_init:
container:
glance_storage_init:
appArmorProfile:
type: RuntimeDefault
test:
container:
glance_test_ks_user:
appArmorProfile:
type: RuntimeDefault
glance_test:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

58
values_overrides/openstack/heat/apparmor.yaml
View File

@ -1,27 +1,35 @@
---
heat:
pod:
mandatory_access_control:
type: apparmor
heat-api:
heat-api: runtime/default
init: runtime/default
heat-cfn:
heat-cfn: runtime/default
init: runtime/default
heat-engine:
heat-engine: runtime/default
init: runtime/default
heat-engine-cleaner:
heat-engine-cleaner: runtime/default
init: runtime/default
heat-domain-ks-user:
heat-ks-domain-user: runtime/default
init: runtime/default
heat-trusts:
heat-trusts: runtime/default
init: runtime/default
heat-purge-deleted:
heat-purge-deleted: runtime/default
init: runtime/default
pod:
security_context:
heat:
container:
heat_api:
appArmorProfile:
type: RuntimeDefault
heat_cfn:
appArmorProfile:
type: RuntimeDefault
heat_engine:
appArmorProfile:
type: RuntimeDefault
engine_cleaner:
container:
heat_engine_cleaner:
appArmorProfile:
type: RuntimeDefault
ks_user:
container:
heat_ks_domain_user:
appArmorProfile:
type: RuntimeDefault
trusts:
container:
heat_trusts:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

35
values_overrides/openstack/horizon/apparmor.yaml
View File

@ -1,15 +1,24 @@
---
horizon:
pod:
mandatory_access_control:
type: apparmor
horizon:
horizon: runtime/default
init: runtime/default
horizon-db-sync:
horizon-db-sync: runtime/default
init: runtime/default
horizon-test:
init: runtime/default
horizon-test: runtime/default
pod:
security_context:
horizon:
container:
horizon:
appArmorProfile:
type: RuntimeDefault
db_sync:
container:
horizon_db_sync:
appArmorProfile:
type: RuntimeDefault
test:
container:
horizon_test:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

57
values_overrides/openstack/keystone/apparmor.yaml
View File

@ -1,21 +1,40 @@
---
keystone:
pod:
mandatory_access_control:
type: apparmor
keystone-api:
keystone-api: runtime/default
keystone-credential-setup:
keystone-credential-setup: runtime/default
keystone-fernet-setup:
keystone-fernet-setup: runtime/default
keystone-credential-cleanup:
keystone-credential-cleanup: runtime/default
keystone-domain-manage:
keystone-domain-manage: runtime/default
keystone-domain-manage-init: runtime/default
keystone-test:
init: runtime/default
keystone-test: runtime/default
keystone-test-ks-user: runtime/default
pod:
security_context:
keystone:
container:
keystone_api:
appArmorProfile:
type: RuntimeDefault
credential_setup:
container:
keystone_credential_setup:
appArmorProfile:
type: RuntimeDefault
fernet_setup:
container:
keystone_fernet_setup:
appArmorProfile:
type: RuntimeDefault
domain_manage:
container:
keystone_domain_manage:
appArmorProfile:
type: RuntimeDefault
keystone_domain_manage_init:
appArmorProfile:
type: RuntimeDefault
test:
container:
keystone_test:
appArmorProfile:
type: RuntimeDefault
keystone_test_ks_user:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

13
values_overrides/openstack/libvirt/apparmor.yaml
View File

@ -1,8 +1,9 @@
---
libvirt:
pod:
mandatory_access_control:
type: apparmor
libvirt-libvirt-default:
libvirt: runtime/default
pod:
security_context:
libvirt:
container:
libvirt:
appArmorProfile:
type: RuntimeDefault
...

67
values_overrides/openstack/mariadb/apparmor.yaml
View File

@ -1,35 +1,36 @@
---
mariadb:
pod:
mandatory_access_control:
type: apparmor
mariadb-ingress-error-pages:
init: runtime/default
ingress-error-pages: runtime/default
mariadb-ingress:
init: runtime/default
ingress: runtime/default
mariadb-server:
init: runtime/default
mariadb-perms: runtime/default
mariadb: runtime/default
mariadb-backup:
init: runtime/default
mariadb-backup: runtime/default
mariadb-test:
init: runtime/default
mariadb-test: runtime/default
prometheus-mysql-exporter:
init: runtime/default
mysql-exporter: runtime/default
create-sql-user:
init: runtime/default
exporter-create-sql-user: runtime/default
monitoring:
prometheus:
enabled: true
manifests:
cron_job_mariadb_backup: true
pod:
security_context:
server:
container:
mariadb:
appArmorProfile:
type: RuntimeDefault
exporter:
appArmorProfile:
type: RuntimeDefault
perms:
appArmorProfile:
type: RuntimeDefault
mariadb_backup:
container:
mariadb_backup:
appArmorProfile:
type: RuntimeDefault
verify_perms:
appArmorProfile:
type: RuntimeDefault
backup_perms:
appArmorProfile:
type: RuntimeDefault
tests:
container:
test:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

29
values_overrides/openstack/memcached/apparmor.yaml
View File

@ -1,16 +1,17 @@
---
memcached:
pod:
mandatory_access_control:
type: apparmor
prometheus_memcached_exporter:
init: runtime/default
memcached-exporter: runtime/default
memcached:
init: runtime/default
memcached: runtime/default
monitoring:
prometheus:
enabled: false
pod:
security_context:
server:
container:
memcached:
appArmorProfile:
type: RuntimeDefault
memcached_exporter:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

119
values_overrides/openstack/neutron/apparmor.yaml
View File

@ -1,42 +1,81 @@
---
neutron:
pod:
mandatory_access_control:
type: apparmor
neutron-dhcp-agent-default:
neutron-dhcp-agent: runtime/default
neutron-dhcp-agent-init: runtime/default
init: runtime/default
neutron-l3-agent-default:
neutron-l3-agent: runtime/default
neutron-l3-agent-init: runtime/default
init: runtime/default
neutron-lb-agent-default:
neutron-lb-agent-default: runtime/default
neutron-metadata-agent-default:
neutron-metadata-agent: runtime/default
neutron-metadata-agent-init: runtime/default
init: runtime/default
neutron-ovs-agent-default:
neutron-ovs-agent: runtime/default
neutron-openvswitch-agent-kernel-modules: runtime/default
neutron-ovs-agent-init: runtime/default
init: runtime/default
neutron-sriov-agent-default:
neutron-sriov-agent: runtime/default
neutron-sriov-agent-init: runtime/default
init: runtime/default
neutron-netns-cleanup-cron-default:
neutron-netns-cleanup-cron: runtime/default
init: runtime/default
neutron-server:
neutron-server: runtime/default
init: runtime/default
nginx: runtime/default
neutron-test:
init: runtime/default
neutron-test: runtime/default
neutron-test-ks-user: runtime/default
manifests:
certificates: true
pod:
security_context:
neutron_dhcp_agent:
container:
neutron_dhcp_agent:
appArmorProfile:
type: RuntimeDefault
neutron_dhcp_agent_init:
appArmorProfile:
type: RuntimeDefault
neutron_l3_agent:
container:
neutron_l3_agent:
appArmorProfile:
type: RuntimeDefault
neutron_l3_agent_init:
appArmorProfile:
type: RuntimeDefault
neutron_lb_agent:
container:
neutron_lb_agent:
appArmorProfile:
type: RuntimeDefault
neutron_lb_agent_init:
appArmorProfile:
type: RuntimeDefault
neutron_lb_agent_kernel_modules:
appArmorProfile:
type: RuntimeDefault
neutron_metadata_agent:
container:
neutron_metadata_agent_init:
appArmorProfile:
type: RuntimeDefault
neutron_ovs_agent:
container:
neutron_ovs_agent:
appArmorProfile:
type: RuntimeDefault
neutron_openvswitch_agent_kernel_modules:
appArmorProfile:
type: RuntimeDefault
neutron_ovs_agent_init:
appArmorProfile:
type: RuntimeDefault
netoffload:
appArmorProfile:
type: RuntimeDefault
neutron_sriov_agent:
container:
neutron_sriov_agent:
appArmorProfile:
type: RuntimeDefault
neutron_sriov_agent_init:
appArmorProfile:
type: RuntimeDefault
neutron_netns_cleanup_cron:
container:
neutron_netns_cleanup_cron:
appArmorProfile:
type: RuntimeDefault
neutron_server:
container:
neutron_server:
appArmorProfile:
type: RuntimeDefault
nginx:
appArmorProfile:
type: RuntimeDefault
neutron_rpc_server:
container:
neutron_rpc_server:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

85
values_overrides/openstack/nova/apparmor.yaml
View File

@ -1,37 +1,52 @@
---
nova:
pod:
mandatory_access_control:
type: apparmor
nova-compute-default:
nova-compute: runtime/default
init: runtime/default
nova-compute-init: runtime/default
nova-compute-vnc-init: runtime/default
nova-api-metadata:
nova-api-metadata-init: runtime/default
nova-api: runtime/default
init: runtime/default
nova-api-osapi:
nova-osapi: runtime/default
init: runtime/default
nova-conductor:
nova-conductor: runtime/default
init: runtime/default
nova-novncproxy:
nova-novncproxy: runtime/default
nova-novncproxy-init-assets: runtime/default
nova-novncproxy-init: runtime/default
init: runtime/default
nova-scheduler:
nova-scheduler: runtime/default
init: runtime/default
nova-cell-setup:
nova-cell-setup: runtime/default
nova-cell-setup-init: runtime/default
init: runtime/default
nova-test:
init: runtime/default
nova-test: runtime/default
nova-test-ks-user: runtime/default
pod:
security_context:
nova:
container:
nova_compute:
appArmorProfile:
type: RuntimeDefault
nova_compute_init:
appArmorProfile:
type: RuntimeDefault
nova_compute_vnc_init:
appArmorProfile:
type: RuntimeDefault
nova_api:
appArmorProfile:
type: RuntimeDefault
nova_api_metadata_init:
appArmorProfile:
type: RuntimeDefault
nova_osapi:
appArmorProfile:
type: RuntimeDefault
nova_conductor:
appArmorProfile:
type: RuntimeDefault
nova_novncproxy:
appArmorProfile:
type: RuntimeDefault
nova_novncproxy_init_assets:
appArmorProfile:
type: RuntimeDefault
nova_novncproxy_init:
appArmorProfile:
type: RuntimeDefault
nova_scheduler:
appArmorProfile:
type: RuntimeDefault
nova_cell_setup:
container:
nova_cell_setup:
appArmorProfile:
type: RuntimeDefault
nova_cell_setup_init:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

34
values_overrides/openstack/openvswitch/apparmor.yaml
View File

@ -1,15 +1,23 @@
# NOTE: Enable this with the correct policy
---
openvswitch:
pod:
mandatory_access_control:
type: apparmor
openvswitch-vswitchd:
openvswitch-vswitchd: runtime/default
openvswitch-vswitchd-modules: runtime/default
init: runtime/default
openvswitch-db:
openvswitch-db: runtime/default
openvswitch-db-perms: runtime/default
init: runtime/default
pod:
security_context:
ovs:
container:
vswitchd:
appArmorProfile:
type: RuntimeDefault
server:
appArmorProfile:
type: RuntimeDefault
modules:
appArmorProfile:
type: RuntimeDefault
perms:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

25
values_overrides/openstack/placement/apparmor.yaml
View File

@ -1,15 +1,14 @@
---
placement:
pod:
mandatory_access_control:
type: apparmor
placement-api:
placement-api: runtime/default
init: runtime/default
placement-db-migrate:
init: runtime/default
placement-mysql-migration: runtime/default
manifests:
job_db_migrate: true
pod:
security_context:
placement:
container:
placement_api:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

63
values_overrides/openstack/rabbitmq/apparmor.yaml
View File

@ -1,26 +1,41 @@
---
rabbitmq:
pod:
mandatory_access_control:
type: apparmor
rabbitmq-cluster-wait:
init: runtime/default
rabbitmq-cookie: runtime/default
rabbitmq-rabbitmq-cluster-wait: runtime/default
rabbitmq:
init: runtime/default
rabbitmq-password: runtime/default
rabbitmq-cookie: runtime/default
rabbitmq-perms: runtime/default
rabbitmq: runtime/default
prometheus-rabbitmq-exporter:
init: runtime/default
rabbitmq-exporter: runtime/default
rabbitmq-rabbitmq-test:
rabbitmq-rabbitmq-test: runtime/default
init: runtime/default
monitoring:
prometheus:
enabled: true
pod:
security_context:
cluster_wait:
container:
rabbitmq_cluster_wait:
appArmorProfile:
type: RuntimeDefault
rabbitmq_cookie:
appArmorProfile:
type: RuntimeDefault
server:
container:
rabbitmq:
appArmorProfile:
type: RuntimeDefault
rabbitmq_perms:
appArmorProfile:
type: RuntimeDefault
rabbitmq_cookie:
appArmorProfile:
type: RuntimeDefault
rabbitmq_password:
appArmorProfile:
type: RuntimeDefault
exporter:
container:
rabbitmq_exporter:
appArmorProfile:
type: RuntimeDefault
test:
container:
rabbitmq_test:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

31
values_overrides/openvswitch/apparmor.yaml
View File

@ -1,14 +1,23 @@
# NOTE: Enable this with the correct policy
---
pod:
mandatory_access_control:
type: apparmor
openvswitch-vswitchd:
openvswitch-vswitchd: runtime/default
openvswitch-vswitchd-modules: runtime/default
init: runtime/default
openvswitch-db:
openvswitch-db: runtime/default
openvswitch-db-perms: runtime/default
init: runtime/default
security_context:
ovs:
container:
vswitchd:
appArmorProfile:
type: RuntimeDefault
server:
appArmorProfile:
type: RuntimeDefault
modules:
appArmorProfile:
type: RuntimeDefault
perms:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

16
values_overrides/placement/apparmor.yaml
View File

@ -1,8 +1,14 @@
---
pod:
mandatory_access_control:
type: apparmor
placement-api:
placement-api: runtime/default
init: runtime/default
security_context:
placement:
container:
placement_api:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

50
values_overrides/postgresql/apparmor.yaml
View File

@ -1,21 +1,35 @@
---
pod:
mandatory_access_control:
type: apparmor
postgresql:
postgresql: runtime/default
set-volume-perms: runtime/default
init: runtime/default
prometheus-postgresql-exporter:
postgresql-exporter: runtime/default
init: runtime/default
prometheus-postgresql-exporter-create-user:
prometheus-postgresql-exporter-create-user: runtime/default
init: runtime/default
postgresql-backup:
init: runtime/default
backup-perms: runtime/default
postgresql-backup: runtime/default
manifests:
cron_job_postgresql_backup: true
security_context:
server:
container:
postgresql:
appArmorProfile:
type: RuntimeDefault
set_volume_perms:
appArmorProfile:
type: RuntimeDefault
prometheus_postgresql_exporter:
container:
postgresql_exporter:
appArmorProfile:
type: RuntimeDefault
create_user:
container:
prometheus_postgresql_exporter_create_user:
appArmorProfile:
type: RuntimeDefault
postgresql_backup:
container:
postgresql_backup:
appArmorProfile:
type: RuntimeDefault
backup_perms:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

23
values_overrides/prometheus-alertmanager/apparmor.yaml
View File

@ -1,9 +1,20 @@
---
pod:
mandatory_access_control:
type: apparmor
prometheus-alertmanager:
prometheus-alertmanager: runtime/default
prometheus-alertmanager-perms: runtime/default
init: runtime/default
security_context:
server:
container:
prometheus_alertmanager:
appArmorProfile:
type: RuntimeDefault
prometheus_alertmanager_perms:
appArmorProfile:
type: RuntimeDefault
apache_proxy:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

10
values_overrides/prometheus-blackbox-exporter/apparmor.yaml
View File

@ -1,7 +1,9 @@
---
pod:
mandatory_access_control:
type: apparmor
prometheus-blackbox-exporter:
blackbox-exporter: runtime/default
security_context:
prometheus_blackbox_exporter:
container:
blackbox_exporter:
appArmorProfile:
type: RuntimeDefault
...

16
values_overrides/prometheus-kube-state-metrics/apparmor.yaml
View File

@ -1,8 +1,14 @@
---
pod:
mandatory_access_control:
type: apparmor
kube-state-metrics:
kube-state-metrics: runtime/default
init: runtime/default
security_context:
exporter:
container:
kube_state_metrics:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

45
values_overrides/prometheus-mysql-exporter/apparmor.yaml
View File

@ -1,37 +1,14 @@
---
pod:
mandatory_access_control:
type: apparmor
mariadb-ingress-error-pages:
init: runtime/default
ingress-error-pages: runtime/default
mariadb-ingress:
init: runtime/default
ingress: runtime/default
mariadb-server:
init-0: runtime/default
agent: runtime/default
init: runtime/default
mariadb-perms: runtime/default
mariadb: runtime/default
mariadb-backup:
init: runtime/default
mariadb-backup: runtime/default
mariadb-verify-server: runtime/default
mariadb-test:
init: runtime/default
mariadb-test: runtime/default
prometheus-mysql-exporter:
init: runtime/default
mysql-exporter: runtime/default
create-sql-user:
init: runtime/default
exporter-create-sql-user: runtime/default
monitoring:
prometheus:
enabled: true
manifests:
cron_job_mariadb_backup: true
security_context:
prometheus_mysql_exporter:
container:
exporter:
appArmorProfile:
type: RuntimeDefault
prometheus_create_mysql_user:
container:
main:
appArmorProfile:
type: RuntimeDefault
...

16
values_overrides/prometheus-node-exporter/apparmor.yaml
View File

@ -1,8 +1,14 @@
---
pod:
mandatory_access_control:
type: apparmor
node-exporter:
node-exporter: runtime/default
init: runtime/default
security_context:
metrics:
container:
node_exporter:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

24
values_overrides/prometheus-openstack-exporter/apparmor.yaml
View File

@ -1,11 +1,19 @@
---
pod:
mandatory_access_control:
type: apparmor
prometheus-openstack-exporter:
openstack-metrics-exporter: runtime/default
init: runtime/default
prometheus-openstack-exporter-ks-user:
prometheus-openstack-exporter-ks-user: runtime/default
init: runtime/default
security_context:
exporter:
container:
openstack_metrics_exporter:
appArmorProfile:
type: RuntimeDefault
ks_user:
container:
prometheus_openstack_exporter_ks_user:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

16
values_overrides/prometheus-process-exporter/apparmor.yaml
View File

@ -1,8 +1,14 @@
---
pod:
mandatory_access_control:
type: apparmor
process-exporter:
process-exporter: runtime/default
init: runtime/default
security_context:
metrics:
container:
process_exporter:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

32
values_overrides/prometheus/apparmor.yaml
View File

@ -1,13 +1,25 @@
---
pod:
mandatory_access_control:
type: apparmor
prometheus:
prometheus: runtime/default
prometheus-perms: runtime/default
apache-proxy: runtime/default
init: runtime/default
prometheus-test:
prometheus-helm-tests: runtime/default
init: runtime/default
security_context:
api:
container:
prometheus:
appArmorProfile:
type: RuntimeDefault
prometheus_perms:
appArmorProfile:
type: RuntimeDefault
apache_proxy:
appArmorProfile:
type: RuntimeDefault
test:
container:
prometheus_helm_tests:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...

60
values_overrides/rabbitmq/apparmor.yaml
View File

@ -1,25 +1,41 @@
---
pod:
mandatory_access_control:
type: apparmor
rabbitmq-cluster-wait:
init: runtime/default
rabbitmq-cookie: runtime/default
rabbitmq-rabbitmq-cluster-wait: runtime/default
rabbitmq:
init: runtime/default
rabbitmq-password: runtime/default
rabbitmq-cookie: runtime/default
rabbitmq-perms: runtime/default
rabbitmq: runtime/default
prometheus-rabbitmq-exporter:
init: runtime/default
rabbitmq-exporter: runtime/default
rabbitmq-rabbitmq-test:
rabbitmq-rabbitmq-test: runtime/default
init: runtime/default
monitoring:
prometheus:
enabled: true
security_context:
cluster_wait:
container:
rabbitmq_cluster_wait:
appArmorProfile:
type: RuntimeDefault
rabbitmq_cookie:
appArmorProfile:
type: RuntimeDefault
server:
container:
rabbitmq:
appArmorProfile:
type: RuntimeDefault
rabbitmq_perms:
appArmorProfile:
type: RuntimeDefault
rabbitmq_cookie:
appArmorProfile:
type: RuntimeDefault
rabbitmq_password:
appArmorProfile:
type: RuntimeDefault
exporter:
container:
rabbitmq_exporter:
appArmorProfile:
type: RuntimeDefault
test:
container:
rabbitmq_test:
appArmorProfile:
type: RuntimeDefault
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
appArmorProfile:
type: RuntimeDefault
...