Fixes the Apparmor gate for libvirt and memcached

This updates the apparmor job to only use the docker default
profile for memcached, as the custom apparmor profiles used didnt
allow for a successful deployment. This also updates the libvirt
overrides, as the current change to use daemonset-overrides
required updating the container name.

Co-authored-by: wilkers.steve@gmail.com
Co-authored-by: ld366r@att.com

Change-Id: I00cb4c62a38e0e1178e45b4e34c946b3b53da6d5
This commit is contained in:
Randeep Jalli 2019-04-04 16:32:55 +00:00
parent aae64213c9
commit 3aa89c55f3
2 changed files with 8 additions and 62 deletions

View File

@ -28,65 +28,8 @@ images:
pod: pod:
mandatory_access_control: mandatory_access_control:
type: apparmor type: apparmor
configmap_apparmor: true
memcached: memcached:
memcached: localhost/my-apparmor-v1 memcached: localhost/docker-default
apparmor-loader: unconfined
conf:
apparmor_profiles:
my-apparmor-v1.profile: |-
#include <tunables/global>
profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
network inet tcp,
network inet udp,
network inet icmp,
deny network raw,
deny network packet,
file,
umount,
deny /bin/** wl,
deny /boot/** wl,
deny /dev/** wl,
deny /etc/** wl,
deny /home/** wl,
deny /lib/** wl,
deny /lib64/** wl,
deny /media/** wl,
deny /mnt/** wl,
deny /opt/** wl,
deny /proc/** wl,
deny /root/** wl,
deny /sbin/** wl,
deny /srv/** wl,
deny /tmp/** wl,
deny /sys/** wl,
deny /usr/** wl,
audit /** w,
/var/run/nginx.pid w,
/usr/sbin/nginx ix,
deny /bin/dash mrwklx,
deny /bin/sh mrwklx,
deny /usr/bin/top mrwklx,
capability chown,
capability dac_override,
capability setuid,
capability setgid,
capability net_bind_service,
deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,
deny @{PROC}/kcore rwklx,
deny mount,
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx,
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
}
EOF EOF
# NOTE: Deploy command # NOTE: Deploy command
@ -110,7 +53,7 @@ helm status memcached
pod=$(kubectl -n $namespace get pod | grep memcached | awk '{print $1}') pod=$(kubectl -n $namespace get pod | grep memcached | awk '{print $1}')
unsorted_process_file="/tmp/unsorted_proc_list" unsorted_process_file="/tmp/unsorted_proc_list"
sorted_process_file="/tmp/proc_list" sorted_process_file="/tmp/proc_list"
expected_profile="my-apparmor-v1 (enforce)" expected_profile="docker-default (enforce)"
# Grab the processes (numbered directories) from the /proc directory, # Grab the processes (numbered directories) from the /proc directory,
# and then sort them. Highest proc number indicates most recent process. # and then sort them. Highest proc number indicates most recent process.

View File

@ -26,8 +26,8 @@ pod:
mandatory_access_control: mandatory_access_control:
type: apparmor type: apparmor
configmap_apparmor: true configmap_apparmor: true
libvirt: libvirt-libvirt-default:
libvirt: localhost/my-apparmor-v1 libvirt-libvirt-default: localhost/my-apparmor-v1
apparmor-loader: unconfined apparmor-loader: unconfined
conf: conf:
apparmor_profiles: apparmor_profiles:
@ -164,10 +164,13 @@ conf:
EOF EOF
#NOTE: Deploy command #NOTE: Deploy command
helm upgrade --install libvirt ./libvirt \ helm upgrade --install libvirt ./libvirt \
--namespace=openstack \ --namespace=openstack \
--values=/tmp/libvirt.yaml \ --values=/tmp/libvirt.yaml \
--set network.backend="null" --set network.backend="null"
#NOTE: Validate Deployment info #NOTE: Validate Deployment info
./tools/deployment/common/wait-for-pods.sh openstack
helm status libvirt helm status libvirt