openstack/openstack-helm
Code Issues Proposed changes

Make access control annotations more generic.

Browse Source 
This patch takes into consideration that there could be multiple
options for mandatory access control in a cluster. The previously
defined Helm toolkit function for generating a MAC annotation can
now be specified generically, like in this example:

  mandatory_access_control:
    type: apparmor
    glance-api:
      init: runtime/default
      glance-api: runtime/default
      glance-perms: runtime/default
      ceph-keyring-placement: runtime/default
    glance-registry:
      init: runtime/default
      glance-registry: runtime/default

If no MAC is required, then the "type" can be set to null,
and no annotation would be generated. The only MAC type supported
at the moment is "apparmor".

Change-Id: I6b45533d73af82e8fff353b0ed9f29f0891f24f1
This commit is contained in:
Cliff Parsons
2018-10-26 17:33:32 -05:00
committed by Tin Lam
parent 04c8f03532
commit 598faeb8db
1 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
View File

@@ -21,7 +21,8 @@ abstract: |
annotation, but in the future could generate others.
values: |
pod:
apparmor:
mandatory_access_control:
type: apparmor
myPodName:
myContainerName: localhost/myAppArmor
mySecondContainerName: localhost/secondProfile # optional
@@ -40,12 +41,22 @@ note: |
{{- $envAll := index . "envAll" -}}
{{- $podName := index . "podName" -}}
{{- $containerNames := index . "containerNames" -}}
{{- if hasKey (index $envAll.Values.pod "apparmor") $podName -}}
{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
{{- if $macType -}}
{{- if eq $macType "apparmor" -}}
{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
{{- range $name := $containerNames -}}
{{- $apparmorProfile := index $envAll.Values.pod.apparmor $podName $name -}}
{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
{{- if $apparmorProfile }}
container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}