airship/divingbell
Code Issues Proposed changes

Add Docker default AppArmor profile to divingbell

Browse Source 
This adds default AppArmor profile to divingbell.

Also, update to gate script to install ethtool if it is not present.

Change-Id: I7abb13a533b596f4db5fe65fdae5eb7fc57ec00a
This commit is contained in:
KAVVA, JAGAN MOHAN REDDY (jk330k) 2020-02-03 10:09:59 -06:00 committed by Anderson, Craig (ca846m)
parent fe0a034ec7
commit 37594c8d16
12 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.zuul.yaml
View File

@ -73,6 +73,7 @@
vars:
zuul_osh_infra_relative_path: ../../openstack/openstack-helm-infra/
gate_scripts:
- "{{ zuul_osh_infra_relative_path }}./tools/deployment/apparmor/001-setup-apparmor-profiles.sh"
- "{{ zuul_osh_infra_relative_path }}./tools/deployment/common/005-deploy-k8s.sh"
- ./tools/gate/scripts/010-build-charts.sh
- sudo ./tools/gate/scripts/020-test-divingbell.sh

1
divingbell/templates/daemonset-apparmor.yaml
View File

@ -37,6 +37,7 @@ spec:
{{ list $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-apparmor" "containerNames" (list "apparmor") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
hostNetwork: true
hostPID: true

1
divingbell/templates/daemonset-apt.yaml
View File

@ -37,6 +37,7 @@ spec:
{{ list $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-apt" "containerNames" (list "apt") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
hostNetwork: true
hostPID: true

1
divingbell/templates/daemonset-ethtool.yaml
View File

@ -37,6 +37,7 @@ spec:
{{ list $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-ethtool" "containerNames" (list "ethtool") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
hostNetwork: true
hostPID: true

1
divingbell/templates/daemonset-exec.yaml
View File

@ -37,6 +37,7 @@ spec:
{{ list $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-exec" "containerNames" (list "exec") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
hostNetwork: true
hostPID: true

1
divingbell/templates/daemonset-limits.yaml
View File

@ -37,6 +37,7 @@ spec:
{{ list $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-limits" "containerNames" (list "limits") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
hostNetwork: true
hostPID: true

1
divingbell/templates/daemonset-mounts.yaml
View File

@ -37,6 +37,7 @@ spec:
{{ list $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-mounts" "containerNames" (list "mounts") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
hostNetwork: true
hostPID: true

1
divingbell/templates/daemonset-perm.yaml
View File

@ -37,6 +37,7 @@ spec:
{{ list $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-perm" "containerNames" (list "perm") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
hostNetwork: true
hostPID: true

1
divingbell/templates/daemonset-sysctl.yaml
View File

@ -37,6 +37,7 @@ spec:
{{ list $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-sysctl" "containerNames" (list "sysctl") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
hostNetwork: true
hostPID: true

1
divingbell/templates/daemonset-uamlite.yaml
View File

@ -37,6 +37,7 @@ spec:
{{ list $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-uamlite" "containerNames" (list "uamlite") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
hostNetwork: true
hostPID: true

20
divingbell/values.yaml
View File

@ -96,6 +96,26 @@ conf:
# item: 'core'
# value: 0
pod:
mandatory_access_control:
type: apparmor
divingbell-apparmor:
apparmor: runtime/default
divingbell-apt:
apt: runtime/default
divingbell-ethtool:
ethtool: runtime/default
divingbell-exec:
exec: runtime/default
divingbell-limits:
limits: runtime/default
divingbell-mounts:
mounts: runtime/default
divingbell-perm:
perm: runtime/default
divingbell-sysctl:
sysctl: runtime/default
divingbell-uamlite:
uamlite: runtime/default
lifecycle:
upgrades:
daemonsets:

1
tools/gate/scripts/020-test-divingbell.sh
View File

@ -281,6 +281,7 @@ EXEC_DIR=/var/${NAME}/exec
EXPECTED_NUMBER_OF_DAEMONSETS=17
type lshw || apt -y install lshw
type apparmor_parser || apt -y install apparmor
type ethtool || apt -y install ethtool
nic_info="$(lshw -class network)"
physical_nic=''
IFS=$'\n'