From 8b201ea0eb0de08ee081252debae3cd5ed0053d9 Mon Sep 17 00:00:00 2001 From: Aaron Sheffield Date: Thu, 1 Nov 2018 11:32:04 -0500 Subject: [PATCH] Adding AppArmor profile to Calico v3 - Adds AppArmor profile to the privileged pod using kubernetes_manadatory_access_control_annotation. - Added apparmor install to the gate jobs. Change-Id: I8b53e0b8ddc2695fa278481edf5688efa23ab06b --- calico/templates/daemonset-calico-node.yaml | 1 + calico/values.yaml | 4 +++ playbooks/osh-infra-upgrade-host.yaml | 12 +++++++ roles/deploy-apparmor/tasks/main.yaml | 37 +++++++++++++++++++++ 4 files changed, 54 insertions(+) create mode 100644 roles/deploy-apparmor/tasks/main.yaml diff --git a/calico/templates/daemonset-calico-node.yaml b/calico/templates/daemonset-calico-node.yaml index 80a653469..a3c49681d 100644 --- a/calico/templates/daemonset-calico-node.yaml +++ b/calico/templates/daemonset-calico-node.yaml @@ -108,6 +108,7 @@ spec: # priority scheduling and that its resources are reserved # if it ever gets evicted. scheduler.alpha.kubernetes.io/critical-pod: '' +{{ dict "envAll" $envAll "podName" "calico-node" "containerNames" (list "calico-node") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} {{- if .Values.monitoring.prometheus.enabled }} {{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }} {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }} diff --git a/calico/values.yaml b/calico/values.yaml index 14148fbee..6737e3236 100644 --- a/calico/values.yaml +++ b/calico/values.yaml @@ -100,6 +100,10 @@ pod: disruption_budget: controllers: min_available: 0 + mandatory_access_control: + type: apparmor + calico-node: + calico-node: localhost/docker-default dependencies: dynamic: diff --git a/playbooks/osh-infra-upgrade-host.yaml b/playbooks/osh-infra-upgrade-host.yaml index 495b5cb99..3a2b79bb9 100644 --- a/playbooks/osh-infra-upgrade-host.yaml +++ b/playbooks/osh-infra-upgrade-host.yaml @@ -39,3 +39,15 @@ - upgrade-host - start-zuul-console - disable-local-nameserver + +- hosts: all + vars_files: + - vars.yaml + vars: + work_dir: "{{ zuul.project.src_dir }}/{{ zuul_osh_infra_relative_path | default('') }}" + gather_facts: False + become: yes + roles: + - deploy-apparmor + tags: + - deploy-apparmor diff --git a/roles/deploy-apparmor/tasks/main.yaml b/roles/deploy-apparmor/tasks/main.yaml new file mode 100644 index 000000000..b03314c78 --- /dev/null +++ b/roles/deploy-apparmor/tasks/main.yaml @@ -0,0 +1,37 @@ +# Copyright 2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- block: + - name: ensuring AppArmor is deployed on host + when: ansible_distribution == 'Ubuntu' + include_role: + name: deploy-package + tasks_from: dist + vars: + packages: + deb: + - apparmor + + - name: "Enable AppArmor" + when: ansible_distribution == 'Ubuntu' + become: true + become_user: root + shell: |- + set -xe + systemctl enable apparmor + systemctl start apparmor + systemctl status apparmor.service + args: + executable: /bin/bash + ignore_errors: True