From 34d691c9b127644e18dffd07cc1d78201f4bf477 Mon Sep 17 00:00:00 2001 From: Jagan Kavva Date: Mon, 8 Apr 2019 10:56:07 -0500 Subject: [PATCH] Add docker-default (enforce) AppArmor profile to openvswitch Change-Id: I7b091f668d9293d7eafd9c1b54c4eab715bbd93c --- openvswitch/templates/daemonset-ovs-db.yaml | 1 + .../templates/daemonset-ovs-vswitchd.yaml | 1 + tools/deployment/apparmor/110-openvswitch.sh | 44 +++++++++++++++++++ zuul.d/jobs.yaml | 1 + 4 files changed, 47 insertions(+) create mode 100755 tools/deployment/apparmor/110-openvswitch.sh diff --git a/openvswitch/templates/daemonset-ovs-db.yaml b/openvswitch/templates/daemonset-ovs-db.yaml index 7a075c225..92f9b03cb 100644 --- a/openvswitch/templates/daemonset-ovs-db.yaml +++ b/openvswitch/templates/daemonset-ovs-db.yaml @@ -40,6 +40,7 @@ spec: annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} +{{ dict "envAll" $envAll "podName" "openvswitch-db" "containerNames" (list "openvswitch-db") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: shareProcessNamespace: true serviceAccountName: {{ $serviceAccountName }} diff --git a/openvswitch/templates/daemonset-ovs-vswitchd.yaml b/openvswitch/templates/daemonset-ovs-vswitchd.yaml index 6a6ab72b0..0c337fb89 100644 --- a/openvswitch/templates/daemonset-ovs-vswitchd.yaml +++ b/openvswitch/templates/daemonset-ovs-vswitchd.yaml @@ -40,6 +40,7 @@ spec: annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} +{{ dict "envAll" $envAll "podName" "openvswitch-vswitchd" "containerNames" (list "openvswitch-vswitchd") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: shareProcessNamespace: true serviceAccountName: {{ $serviceAccountName }} diff --git a/tools/deployment/apparmor/110-openvswitch.sh b/tools/deployment/apparmor/110-openvswitch.sh new file mode 100755 index 000000000..5f3dc9214 --- /dev/null +++ b/tools/deployment/apparmor/110-openvswitch.sh @@ -0,0 +1,44 @@ +#!/bin/bash + +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +set -xe + +#NOTE: Lint and package chart +make openvswitch + +#NOTE: Deploy command +tee /tmp/openvswitch.yaml <