From 17592f54ae7ffbff6f076e4bc116769869e841ec Mon Sep 17 00:00:00 2001
From: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
Date: Mon, 17 Feb 2020 02:29:55 +0000
Subject: [PATCH] Enable Docker default Apparmor for all Prometheus Containers

Change-Id: I97fc39e52b36fc0be84abd049fdbce1e7026107d
Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
---
 .../templates/statefulset.yaml                |  2 +-
 .../values_overrides/apparmor.yaml            |  5 ++
 .../templates/deployment.yaml                 |  1 +
 .../values_overrides/apparmor.yaml            |  5 ++
 .../values_overrides/apparmor.yaml            |  5 ++
 .../values_overrides/apparmor.yaml            |  5 ++
 .../value_overrides/apparmor.yaml             |  5 ++
 .../apparmor/050-prometheus-alertmanager.sh   | 41 +----------------
 .../apparmor/060-prometheus-node-exporter.sh  | 39 +---------------
 .../070-prometheus-openstack-exporter.sh      | 46 +------------------
 .../080-prometheus-process-exporter.sh        | 39 +---------------
 11 files changed, 31 insertions(+), 162 deletions(-)
 create mode 100644 prometheus-alertmanager/values_overrides/apparmor.yaml
 create mode 100644 prometheus-kube-state-metrics/values_overrides/apparmor.yaml
 create mode 100644 prometheus-node-exporter/values_overrides/apparmor.yaml
 create mode 100644 prometheus-openstack-exporter/values_overrides/apparmor.yaml
 create mode 100644 prometheus-process-exporter/value_overrides/apparmor.yaml
 mode change 100755 => 120000 tools/deployment/apparmor/050-prometheus-alertmanager.sh
 mode change 100755 => 120000 tools/deployment/apparmor/060-prometheus-node-exporter.sh
 mode change 100755 => 120000 tools/deployment/apparmor/070-prometheus-openstack-exporter.sh
 mode change 100755 => 120000 tools/deployment/apparmor/080-prometheus-process-exporter.sh

diff --git a/prometheus-alertmanager/templates/statefulset.yaml b/prometheus-alertmanager/templates/statefulset.yaml
index b7e12f0a0..d5a687d9c 100644
--- a/prometheus-alertmanager/templates/statefulset.yaml
+++ b/prometheus-alertmanager/templates/statefulset.yaml
@@ -46,7 +46,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "alertmanager" "containerNames" (list "alertmanager") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "alertmanager" "containerNames" (list "alertmanager" "alertmanager-perms") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/prometheus-alertmanager/values_overrides/apparmor.yaml b/prometheus-alertmanager/values_overrides/apparmor.yaml
new file mode 100644
index 000000000..3d23f0dbe
--- /dev/null
+++ b/prometheus-alertmanager/values_overrides/apparmor.yaml
@@ -0,0 +1,5 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    alertmanager:
+      alertmanager-perms: runtime/default
diff --git a/prometheus-kube-state-metrics/templates/deployment.yaml b/prometheus-kube-state-metrics/templates/deployment.yaml
index 68442d52f..624734ad3 100644
--- a/prometheus-kube-state-metrics/templates/deployment.yaml
+++ b/prometheus-kube-state-metrics/templates/deployment.yaml
@@ -104,6 +104,7 @@ spec:
       annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "kube-state-metrics" "containerNames" (list "kube-state-metrics") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/prometheus-kube-state-metrics/values_overrides/apparmor.yaml b/prometheus-kube-state-metrics/values_overrides/apparmor.yaml
new file mode 100644
index 000000000..7cb2ccb52
--- /dev/null
+++ b/prometheus-kube-state-metrics/values_overrides/apparmor.yaml
@@ -0,0 +1,5 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    kube-state-metrics:
+      kube-state-metrics: runtime/default
diff --git a/prometheus-node-exporter/values_overrides/apparmor.yaml b/prometheus-node-exporter/values_overrides/apparmor.yaml
new file mode 100644
index 000000000..bcfa52ce3
--- /dev/null
+++ b/prometheus-node-exporter/values_overrides/apparmor.yaml
@@ -0,0 +1,5 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    node-exporter:
+      node-exporter: runtime/default
diff --git a/prometheus-openstack-exporter/values_overrides/apparmor.yaml b/prometheus-openstack-exporter/values_overrides/apparmor.yaml
new file mode 100644
index 000000000..a27c9e273
--- /dev/null
+++ b/prometheus-openstack-exporter/values_overrides/apparmor.yaml
@@ -0,0 +1,5 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    prometheus-openstack-exporter:
+      openstack-metrics-exporter: runtime/default
diff --git a/prometheus-process-exporter/value_overrides/apparmor.yaml b/prometheus-process-exporter/value_overrides/apparmor.yaml
new file mode 100644
index 000000000..840e818ff
--- /dev/null
+++ b/prometheus-process-exporter/value_overrides/apparmor.yaml
@@ -0,0 +1,5 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    process-exporter:
+      process-exporter: runtime/default
diff --git a/tools/deployment/apparmor/050-prometheus-alertmanager.sh b/tools/deployment/apparmor/050-prometheus-alertmanager.sh
deleted file mode 100755
index 62f6a9002..000000000
--- a/tools/deployment/apparmor/050-prometheus-alertmanager.sh
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/bin/bash
-
-# Copyright 2019 The Openstack-Helm Authors.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-set -xe
-
-#NOTE: Lint and package chart
-make prometheus-alertmanager
-
-#NOTE: Deploy command
-tee /tmp/prometheus-alertmanager.yaml << EOF
-pod:
-  mandatory_access_control:
-    type: apparmor
-    alertmanager:
-      alertmanager: runtime/default
-storage:
-  enabled: false
-EOF
-helm upgrade --install prometheus-alertmanager ./prometheus-alertmanager \
-    --namespace=osh-infra \
-    --values=/tmp/prometheus-alertmanager.yaml
-
-#NOTE: Wait for deploy
-./tools/deployment/common/wait-for-pods.sh osh-infra
-
-#NOTE: Validate Deployment info
-helm status prometheus-alertmanager
diff --git a/tools/deployment/apparmor/050-prometheus-alertmanager.sh b/tools/deployment/apparmor/050-prometheus-alertmanager.sh
new file mode 120000
index 000000000..8c33bb27f
--- /dev/null
+++ b/tools/deployment/apparmor/050-prometheus-alertmanager.sh
@@ -0,0 +1 @@
+../osh-infra-monitoring/060-alertmanager.sh
\ No newline at end of file
diff --git a/tools/deployment/apparmor/060-prometheus-node-exporter.sh b/tools/deployment/apparmor/060-prometheus-node-exporter.sh
deleted file mode 100755
index 2dadeef71..000000000
--- a/tools/deployment/apparmor/060-prometheus-node-exporter.sh
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/bash
-
-# Copyright 2019 The Openstack-Helm Authors.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-set -xe
-
-#NOTE: Lint and package chart
-make prometheus-node-exporter
-
-#NOTE: Deploy command
-tee /tmp/prometheus-node-exporter.yaml << EOF
-pod:
-  mandatory_access_control:
-    type: apparmor
-    node-exporter:
-      node-exporter: runtime/default
-EOF
-helm upgrade --install prometheus-node-exporter ./prometheus-node-exporter \
-    --namespace=kube-system \
-    --values=/tmp/prometheus-node-exporter.yaml
-
-#NOTE: Wait for deploy
-./tools/deployment/common/wait-for-pods.sh kube-system
-
-#NOTE: Validate Deployment info
-helm status prometheus-node-exporter
diff --git a/tools/deployment/apparmor/060-prometheus-node-exporter.sh b/tools/deployment/apparmor/060-prometheus-node-exporter.sh
new file mode 120000
index 000000000..4104e88c9
--- /dev/null
+++ b/tools/deployment/apparmor/060-prometheus-node-exporter.sh
@@ -0,0 +1 @@
+../osh-infra-monitoring/080-node-exporter.sh
\ No newline at end of file
diff --git a/tools/deployment/apparmor/070-prometheus-openstack-exporter.sh b/tools/deployment/apparmor/070-prometheus-openstack-exporter.sh
deleted file mode 100755
index 331a5d9eb..000000000
--- a/tools/deployment/apparmor/070-prometheus-openstack-exporter.sh
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/bin/bash
-
-# Copyright 2019 The Openstack-Helm Authors.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-set -xe
-
-#NOTE: Lint and package chart
-make prometheus-openstack-exporter
-
-#NOTE: Deploy command
-tee /tmp/prometheus-openstack-exporter.yaml << EOF
-manifests:
-  job_ks_user: false
-dependencies:
-  static:
-    prometheus_openstack_exporter:
-      jobs: null
-      services: null
-pod:
-  mandatory_access_control:
-    type: apparmor
-    prometheus-openstack-exporter:
-      openstack-metrics-exporter: runtime/default
-EOF
-helm upgrade --install prometheus-openstack-exporter ./prometheus-openstack-exporter \
-    --namespace=openstack \
-    --values=/tmp/prometheus-openstack-exporter.yaml
-
-#NOTE: Wait for deploy
-./tools/deployment/common/wait-for-pods.sh openstack
-
-#NOTE: Validate Deployment info
-helm status prometheus-openstack-exporter
diff --git a/tools/deployment/apparmor/070-prometheus-openstack-exporter.sh b/tools/deployment/apparmor/070-prometheus-openstack-exporter.sh
new file mode 120000
index 000000000..8fbe1fef9
--- /dev/null
+++ b/tools/deployment/apparmor/070-prometheus-openstack-exporter.sh
@@ -0,0 +1 @@
+../osh-infra-monitoring/100-openstack-exporter.sh
\ No newline at end of file
diff --git a/tools/deployment/apparmor/080-prometheus-process-exporter.sh b/tools/deployment/apparmor/080-prometheus-process-exporter.sh
deleted file mode 100755
index 24c0cb665..000000000
--- a/tools/deployment/apparmor/080-prometheus-process-exporter.sh
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/bash
-
-# Copyright 2019 The Openstack-Helm Authors.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-set -xe
-
-#NOTE: Lint and package chart
-make prometheus-process-exporter
-
-#NOTE: Deploy command
-tee /tmp/prometheus-process-exporter.yaml << EOF
-pod:
-  mandatory_access_control:
-    type: apparmor
-    process-exporter:
-      process-exporter: runtime/default
-EOF
-helm upgrade --install prometheus-process-exporter ./prometheus-process-exporter \
-    --namespace=kube-system \
-    --values=/tmp/prometheus-process-exporter.yaml
-
-#NOTE: Wait for deploy
-./tools/deployment/common/wait-for-pods.sh kube-system
-
-#NOTE: Validate Deployment info
-helm status prometheus-process-exporter
diff --git a/tools/deployment/apparmor/080-prometheus-process-exporter.sh b/tools/deployment/apparmor/080-prometheus-process-exporter.sh
new file mode 120000
index 000000000..dc2a7b056
--- /dev/null
+++ b/tools/deployment/apparmor/080-prometheus-process-exporter.sh
@@ -0,0 +1 @@
+../osh-infra-monitoring/090-process-exporter.sh
\ No newline at end of file