Enable runtime Apparmor default for All Ceph Components

Change-Id: Id62fe453846ffe6ab01198177d5d8046378d61bf Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
2020-02-17 02:18:37 +00:00 · 2020-02-17 02:18:37 +00:00 · 344c0543fa
parent 304dc14ff8
commit 344c0543fa
16 changed files with 69 additions and 5 deletions
--- a/ceph-client/templates/deployment-checkdns.yaml
+++ b/ceph-client/templates/deployment-checkdns.yaml
@ -68,6 +68,7 @@ spec:
 {{ tuple $envAll "ceph" "checkdns" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
      annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-checkdns" "containerNames" (list "ceph-checkdns" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "checkdns" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
--- a/ceph-client/templates/deployment-mds.yaml
+++ b/ceph-client/templates/deployment-mds.yaml
@ -43,7 +43,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "ceph-mds" "containerNames" (list "ceph-mds") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-mds" "containerNames" (list "ceph-mds" "ceph-init-dirs") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "mds" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
--- a/ceph-client/templates/deployment-mgr.yaml
+++ b/ceph-client/templates/deployment-mgr.yaml
@ -43,7 +43,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "ceph-mgr" "containerNames" (list "ceph-mgr") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-mgr" "containerNames" (list "ceph-mgr" "ceph-init-dirs") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "mgr" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
--- a/ceph-client/templates/job-rbd-pool.yaml
+++ b/ceph-client/templates/job-rbd-pool.yaml
@ -32,6 +32,8 @@ spec:
      name: ceph-rbd-pool
      labels:
 {{ tuple $envAll "ceph" "rbd-pool" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "ceph-rbd-pool" "containerNames" (list "ceph-rbd-pool" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "rbd_pool" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
--- a/ceph-client/values_overrides/apparmor.yaml
+++ b/ceph-client/values_overrides/apparmor.yaml
@ -0,0 +1,16 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    ceph-checkdns:
+      ceph-checkdns: runtime/default
+      init: runtime/default
+    ceph-mds:
+      ceph-mds: runtime/default
+      ceph-init-dirs: runtime/default
+    ceph-mgr:
+      ceph-mgr: runtime/default
+      ceph-init-dirs: runtime/default
+    ceph-rbd-pool:
+      ceph-rbd-pool: runtime/default
+      init: runtime/default
+
--- a/ceph-mon/templates/daemonset-mon.yaml
+++ b/ceph-mon/templates/daemonset-mon.yaml
@ -68,6 +68,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "ceph-mon" "containerNames" (list "ceph-mon" "ceph-init-dirs" "ceph-log-ownership") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "mon" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
--- a/ceph-mon/templates/deployment-moncheck.yaml
+++ b/ceph-mon/templates/deployment-moncheck.yaml
@ -39,7 +39,7 @@ spec:
 {{ tuple $envAll "ceph" "moncheck" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
      annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
-{{ dict "envAll" $envAll "podName" "ceph-mon" "containerNames" (list "ceph-mon") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-mon-check" "containerNames" (list "ceph-mon" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "moncheck" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
--- a/ceph-mon/templates/job-storage-admin-keys.yaml
+++ b/ceph-mon/templates/job-storage-admin-keys.yaml
@ -58,6 +58,11 @@ spec:
    metadata:
      labels:
 {{ tuple $envAll "ceph" "storage-keys-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "ceph-storage-keys-generator" "containerNames" (list "ceph-storage-keys-generator" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "storage_keys_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
--- a/ceph-mon/values_overrides/apparmor.yaml
+++ b/ceph-mon/values_overrides/apparmor.yaml
@ -0,0 +1,15 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    ceph-mon:
+      ceph-init-dirs: runtime/default
+      ceph-mon: runtime/default
+      ceph-log-ownership: runtime/default
+    ceph-mon-check:
+      ceph-mon: runtime/default
+      init: runtime/default
+    ceph-bootstrap:
+      ceph-bootstrap: runtime/default
+    ceph-storage-keys-generator:
+      ceph-storage-keys-generator: runtime/default
+      init: runtime/default
--- a/ceph-osd/templates/daemonset-osd.yaml
+++ b/ceph-osd/templates/daemonset-osd.yaml
@ -41,7 +41,7 @@ spec:
 {{ tuple $envAll "ceph" "osd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
      annotations:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "ceph-osd-default" "containerNames" (list "ceph-osd-default") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-osd-default" "containerNames" (list "ceph-osd-default" "ceph-init-dirs" "ceph-log-ownership" "osd-init" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "osd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
--- a/ceph-osd/values_overrides/apparmor.yaml
+++ b/ceph-osd/values_overrides/apparmor.yaml
@ -0,0 +1,9 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    ceph-osd-default:
+      ceph-osd-default: runtime/default
+      ceph-init-dirs: runtime/default
+      ceph-log-ownership: runtime/default
+      osd-init: runtime/default
+      init: runtime/default
--- a/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml
+++ b/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml
@ -152,6 +152,7 @@ spec:
 {{ tuple $envAll "cephfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
      annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-cephfs-provisioner" "containerNames" (list "ceph-cephfs-provisioner" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
--- a/ceph-provisioners/templates/deployment-rbd-provisioner.yaml
+++ b/ceph-provisioners/templates/deployment-rbd-provisioner.yaml
@ -142,6 +142,7 @@ spec:
 {{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
      annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-rbd-provisioner" "containerNames" (list "ceph-rbd-provisioner" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
--- a/ceph-provisioners/templates/job-cephfs-client-key.yaml
+++ b/ceph-provisioners/templates/job-cephfs-client-key.yaml
@ -89,6 +89,8 @@ spec:
    metadata:
      labels:
 {{ tuple $envAll "ceph" "cephfs-client-key-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "ceph-cephfs-client-key-generator" "containerNames" (list "ceph-storage-keys-generator") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "cephfs_client_key_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
--- a/ceph-provisioners/values_overrides/apparmor.yaml
+++ b/ceph-provisioners/values_overrides/apparmor.yaml
@ -0,0 +1,11 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    ceph-cephfs-provisioner:
+      ceph-cephfs-provisioner: runtime/default
+      init: runtime/default
+    ceph-cephfs-client-key-generator:
+      ceph-storage-keys-generator: runtime/default
+    ceph-rbd-provisioner:
+      ceph-rbd-provisioner: runtime/default
+      init: runtime/default
--- a/tools/deployment/common/get-values-overrides.sh
+++ b/tools/deployment/common/get-values-overrides.sh
@ -19,7 +19,7 @@ HELM_CHART="$1"
 : "${HELM_CHART_ROOT_PATH:="../openstack-helm-infra"}"
 : "${CONTAINER_DISTRO_NAME:="ubuntu"}"
 : "${CONTAINER_DISTRO_VERSION:="xenial"}"
-: "${FEATURE_GATES:=""}"
+: "${FEATURE_GATES:="apparmor"}"
 OSH_INFRA_FEATURE_MIX="${FEATURE_GATES},${CONTAINER_DISTRO_NAME}_${CONTAINER_DISTRO_VERSION},${CONTAINER_DISTRO_NAME}"

 function echoerr () {