fix: ceph-osd AppArmor profiles not applied

AppArmor annotations require the container name to be applied properly.
Before this change, when overrides are not used, the container name is
ceph-osd-default. When overrides are used, the container name is of the
form ceph-osd-HOSTNAME-SHA, but with an identical HOSTNAME and SHA for
all the daemonsets. However, it is not possible to predict this value,
and as a result, the AppArmor profiles are not applied.

This change removes the customization of the container name, and sets
it to ceph-osd-default, allowing AppArmor annotations to be consistently
applied using:

    pod:
      mandatory_access_control:
        type: apparmor
        ceph-osd-default:
          ceph-osd-default: localhost/profilename

Change-Id: I8b6eda00f77ec7393a4311309f3ff76908d06ae6
This commit is contained in:
Sphicas, Phil (ps3910) 2019-10-22 18:18:43 -07:00 committed by diwakar thyagaraj
parent 81d2d687c8
commit 938c6d9bb9
2 changed files with 1 additions and 12 deletions

View File

@ -212,7 +212,7 @@ spec:
mountPath: /var/lib/ceph/journal mountPath: /var/lib/ceph/journal
readOnly: false readOnly: false
containers: containers:
- name: osd-pod - name: ceph-osd-default
{{ tuple $envAll "ceph_osd" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "ceph_osd" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.osd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.osd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "osd" "container" "osd_pod" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "application" "osd" "container" "osd_pod" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}

View File

@ -230,17 +230,6 @@ limitations under the License.
{{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }} {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }} {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
{{/* set container names and add to the list of containers for the pod */}}
{{- $_ := set $context.Values "__containers_list" ( list ) }}
{{- range $container := $context.Values.__daemonset_yaml.spec.template.spec.containers }}
{{- if eq $container.name "osd-pod" }}
{{- $_ := set $container "name" $current_dict.dns_1123_name }}
{{- end }}
{{- $__containers_list := append $context.Values.__containers_list $container }}
{{- $_ := set $context.Values "__containers_list" $__containers_list }}
{{- end }}
{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "containers" $context.Values.__containers_list }}
{{/* cross-reference configmap name to container volume definitions */}} {{/* cross-reference configmap name to container volume definitions */}}
{{- $_ := set $context.Values "__volume_list" list }} {{- $_ := set $context.Values "__volume_list" list }}
{{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }} {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}