From ae24ce9999298b6f09390741c8953d5d1b8b71e6 Mon Sep 17 00:00:00 2001
From: Luna Das <ld366r@att.com>
Date: Tue, 1 Jan 2019 07:14:01 -0500
Subject: [PATCH] Add default-docker (enforce) AppArmor profile to
 Elasticsearch

Change-Id: I86930ee90170385008d5c674eab34d7c0e34e6e4
---
 elasticsearch/templates/deployment-client.yaml | 1 +
 elasticsearch/templates/deployment-master.yaml | 1 +
 elasticsearch/templates/statefulset-data.yaml  | 2 ++
 elasticsearch/values.yaml                      | 8 ++++++++
 4 files changed, 12 insertions(+)

diff --git a/elasticsearch/templates/deployment-client.yaml b/elasticsearch/templates/deployment-client.yaml
index 20776f51a..da2d39f02 100644
--- a/elasticsearch/templates/deployment-client.yaml
+++ b/elasticsearch/templates/deployment-client.yaml
@@ -80,6 +80,7 @@ spec:
       annotations:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "elasticsearch-client" "containerNames" (list "elasticsearch-client") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       affinity:
diff --git a/elasticsearch/templates/deployment-master.yaml b/elasticsearch/templates/deployment-master.yaml
index c58d201eb..3ca351682 100644
--- a/elasticsearch/templates/deployment-master.yaml
+++ b/elasticsearch/templates/deployment-master.yaml
@@ -78,6 +78,7 @@ spec:
       annotations:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "elasticsearch-master" "containerNames" (list "elasticsearch-master") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       affinity:
diff --git a/elasticsearch/templates/statefulset-data.yaml b/elasticsearch/templates/statefulset-data.yaml
index 49a6c4052..5f1bb17be 100644
--- a/elasticsearch/templates/statefulset-data.yaml
+++ b/elasticsearch/templates/statefulset-data.yaml
@@ -75,6 +75,8 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "elasticsearch" "data" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "elasticsearch-data" "containerNames" (list "elasticsearch-data") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       affinity:
diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml
index f214cef84..15978c0c5 100644
--- a/elasticsearch/values.yaml
+++ b/elasticsearch/values.yaml
@@ -98,6 +98,14 @@ dependencies:
           service: elasticsearch
 
 pod:
+  mandatory_access_control:
+    type: apparmor
+    elasticsearch-master:
+      elasticsearch-master: localhost/docker-default
+    elasticsearch-data:
+      elasticsearch-data: localhost/docker-default
+    elasticsearch-client:
+      elasticsearch-client: localhost/docker-default
   user:
     elasticsearch_exporter:
       uid: 99