From 938c6d9bb92a37a9702e8205aa6ab259bf3f39f5 Mon Sep 17 00:00:00 2001 From: "Sphicas, Phil (ps3910)" Date: Tue, 22 Oct 2019 18:18:43 -0700 Subject: [PATCH] fix: ceph-osd AppArmor profiles not applied AppArmor annotations require the container name to be applied properly. Before this change, when overrides are not used, the container name is ceph-osd-default. When overrides are used, the container name is of the form ceph-osd-HOSTNAME-SHA, but with an identical HOSTNAME and SHA for all the daemonsets. However, it is not possible to predict this value, and as a result, the AppArmor profiles are not applied. This change removes the customization of the container name, and sets it to ceph-osd-default, allowing AppArmor annotations to be consistently applied using: pod: mandatory_access_control: type: apparmor ceph-osd-default: ceph-osd-default: localhost/profilename Change-Id: I8b6eda00f77ec7393a4311309f3ff76908d06ae6 --- ceph-osd/templates/daemonset-osd.yaml | 2 +- ceph-osd/templates/utils/_osd_daemonset_overrides.tpl | 11 ----------- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/ceph-osd/templates/daemonset-osd.yaml b/ceph-osd/templates/daemonset-osd.yaml index 1b33b431c..25f9eb56c 100644 --- a/ceph-osd/templates/daemonset-osd.yaml +++ b/ceph-osd/templates/daemonset-osd.yaml @@ -212,7 +212,7 @@ spec: mountPath: /var/lib/ceph/journal readOnly: false containers: - - name: osd-pod + - name: ceph-osd-default {{ tuple $envAll "ceph_osd" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.osd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "osd" "container" "osd_pod" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} diff --git a/ceph-osd/templates/utils/_osd_daemonset_overrides.tpl b/ceph-osd/templates/utils/_osd_daemonset_overrides.tpl index 5a5e5aeee..2cbefdabe 100644 --- a/ceph-osd/templates/utils/_osd_daemonset_overrides.tpl +++ b/ceph-osd/templates/utils/_osd_daemonset_overrides.tpl @@ -230,17 +230,6 @@ limitations under the License. {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }} {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }} - {{/* set container names and add to the list of containers for the pod */}} - {{- $_ := set $context.Values "__containers_list" ( list ) }} - {{- range $container := $context.Values.__daemonset_yaml.spec.template.spec.containers }} - {{- if eq $container.name "osd-pod" }} - {{- $_ := set $container "name" $current_dict.dns_1123_name }} - {{- end }} - {{- $__containers_list := append $context.Values.__containers_list $container }} - {{- $_ := set $context.Values "__containers_list" $__containers_list }} - {{- end }} - {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "containers" $context.Values.__containers_list }} - {{/* cross-reference configmap name to container volume definitions */}} {{- $_ := set $context.Values "__volume_list" list }} {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}