fix: ceph-osd AppArmor profiles not applied
AppArmor annotations require the container name to be applied properly. Before this change, when overrides are not used, the container name is ceph-osd-default. When overrides are used, the container name is of the form ceph-osd-HOSTNAME-SHA, but with an identical HOSTNAME and SHA for all the daemonsets. However, it is not possible to predict this value, and as a result, the AppArmor profiles are not applied. This change removes the customization of the container name, and sets it to ceph-osd-default, allowing AppArmor annotations to be consistently applied using: pod: mandatory_access_control: type: apparmor ceph-osd-default: ceph-osd-default: localhost/profilename Change-Id: I8b6eda00f77ec7393a4311309f3ff76908d06ae6
This commit is contained in:
parent
81d2d687c8
commit
938c6d9bb9
@ -212,7 +212,7 @@ spec:
|
|||||||
mountPath: /var/lib/ceph/journal
|
mountPath: /var/lib/ceph/journal
|
||||||
readOnly: false
|
readOnly: false
|
||||||
containers:
|
containers:
|
||||||
- name: osd-pod
|
- name: ceph-osd-default
|
||||||
{{ tuple $envAll "ceph_osd" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "ceph_osd" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.osd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.osd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
{{ dict "envAll" $envAll "application" "osd" "container" "osd_pod" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
{{ dict "envAll" $envAll "application" "osd" "container" "osd_pod" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
|
@ -230,17 +230,6 @@ limitations under the License.
|
|||||||
{{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
|
{{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
|
||||||
{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
|
{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
|
||||||
|
|
||||||
{{/* set container names and add to the list of containers for the pod */}}
|
|
||||||
{{- $_ := set $context.Values "__containers_list" ( list ) }}
|
|
||||||
{{- range $container := $context.Values.__daemonset_yaml.spec.template.spec.containers }}
|
|
||||||
{{- if eq $container.name "osd-pod" }}
|
|
||||||
{{- $_ := set $container "name" $current_dict.dns_1123_name }}
|
|
||||||
{{- end }}
|
|
||||||
{{- $__containers_list := append $context.Values.__containers_list $container }}
|
|
||||||
{{- $_ := set $context.Values "__containers_list" $__containers_list }}
|
|
||||||
{{- end }}
|
|
||||||
{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "containers" $context.Values.__containers_list }}
|
|
||||||
|
|
||||||
{{/* cross-reference configmap name to container volume definitions */}}
|
{{/* cross-reference configmap name to container volume definitions */}}
|
||||||
{{- $_ := set $context.Values "__volume_list" list }}
|
{{- $_ := set $context.Values "__volume_list" list }}
|
||||||
{{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
|
{{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user