From 841feb7e8228f3496273f02a096c8541e9eebc7e Mon Sep 17 00:00:00 2001 From: diwakar thyagaraj Date: Wed, 11 Dec 2019 03:31:22 +0000 Subject: [PATCH] Enable runtime apparmor for ceph-mon,ceph-mds & ceph-mgr. Also changed ceph apparmor gate job. Change-Id: I92b9a467b2a77d607dd431f031ec566cc18a86a4 --- ceph-client/templates/deployment-mds.yaml | 1 + ceph-client/templates/deployment-mgr.yaml | 1 + ceph-client/values.yaml | 8 +++ ceph-mon/templates/deployment-moncheck.yaml | 1 + ceph-mon/values.yaml | 4 ++ tools/deployment/apparmor/020-ceph.sh | 65 +++++++++++++++++++++ 6 files changed, 80 insertions(+) diff --git a/ceph-client/templates/deployment-mds.yaml b/ceph-client/templates/deployment-mds.yaml index dd4ae8426..340673604 100644 --- a/ceph-client/templates/deployment-mds.yaml +++ b/ceph-client/templates/deployment-mds.yaml @@ -43,6 +43,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }} +{{ dict "envAll" $envAll "podName" "ceph-mds" "containerNames" (list "ceph-mds") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "mds" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ceph-client/templates/deployment-mgr.yaml b/ceph-client/templates/deployment-mgr.yaml index 92810b913..b4fd216ac 100644 --- a/ceph-client/templates/deployment-mgr.yaml +++ b/ceph-client/templates/deployment-mgr.yaml @@ -43,6 +43,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }} +{{ dict "envAll" $envAll "podName" "ceph-mgr" "containerNames" (list "ceph-mgr") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "mgr" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ceph-client/values.yaml b/ceph-client/values.yaml index e2c8a8b81..ecdd81417 100644 --- a/ceph-client/values.yaml +++ b/ceph-client/values.yaml @@ -56,6 +56,14 @@ labels: node_selector_value: enabled pod: + mandatory_access_control: + type: apparmor + ceph-mds: + ceph-mds: runtime/default + mandatory_access_control: + type: apparmor + ceph-mgr: + ceph-mgr: runtime/default security_context: checkdns: pod: diff --git a/ceph-mon/templates/deployment-moncheck.yaml b/ceph-mon/templates/deployment-moncheck.yaml index ff488b669..4a9e869a9 100644 --- a/ceph-mon/templates/deployment-moncheck.yaml +++ b/ceph-mon/templates/deployment-moncheck.yaml @@ -39,6 +39,7 @@ spec: {{ tuple $envAll "ceph" "moncheck" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} +{{ dict "envAll" $envAll "podName" "ceph-mon" "containerNames" (list "ceph-mon") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "moncheck" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ceph-mon/values.yaml b/ceph-mon/values.yaml index 2e070d178..2ae6d8ed7 100644 --- a/ceph-mon/values.yaml +++ b/ceph-mon/values.yaml @@ -45,6 +45,10 @@ labels: node_selector_value: enabled pod: + mandatory_access_control: + type: apparmor + ceph-mon: + ceph-mon: runtime/default security_context: mon: pod: diff --git a/tools/deployment/apparmor/020-ceph.sh b/tools/deployment/apparmor/020-ceph.sh index 16f77a125..0010f3953 100755 --- a/tools/deployment/apparmor/020-ceph.sh +++ b/tools/deployment/apparmor/020-ceph.sh @@ -220,3 +220,68 @@ MON_POD=$(kubectl get pods \ --selector="component=mon" \ --no-headers | awk '{ print $1; exit }') kubectl exec -n ceph ${MON_POD} -- ceph -s + +## Validate AppArmor For Ceph-Mon +expected_profile="docker-default (enforce)" +profile=`kubectl -n ceph exec $MON_POD -- cat /proc/1/attr/current` +echo "Profile running: $profile" + if test "$profile" != "$expected_profile" + then + if test "$proc_name" == "pause" + then + echo "Root process (pause) can run docker-default, it's ok." + else + echo "$profile is the WRONG PROFILE!!" + return 1 + fi + fi + +## Validate AppArmor For Ceph-Mon-Check +sleep 60 +MON_CHECK_POD=$(kubectl get pods --namespace=ceph -o wide | grep mon-check | awk '{print $1}') +expected_profile="docker-default (enforce)" +profile=`kubectl -n ceph exec $MON_CHECK_POD -- cat /proc/1/attr/current` +echo "Profile running: $profile" + if test "$profile" != "$expected_profile" + then + if test "$proc_name" == "pause" + then + echo "Root process (pause) can run docker-default, it's ok." + else + echo "$profile is the WRONG PROFILE!!" + return 1 + fi + fi + +## Validate AppArmor For Ceph-MDS +MDS_POD=$(kubectl get pods --namespace=ceph | grep 1/1 | grep mds | awk '{print $1}') +expected_profile="docker-default (enforce)" +profile=`kubectl -n ceph exec $MDS_POD -- cat /proc/1/attr/current` +echo "Profile running: $profile" + if test "$profile" != "$expected_profile" + then + if test "$proc_name" == "pause" + then + echo "Root process (pause) can run docker-default, it's ok." + else + echo "$profile is the WRONG PROFILE!!" + return 1 + fi + fi + +## Validate AppArmor For Ceph-Mgr +MGR_POD=$(kubectl get pods --namespace=ceph -o wide |grep 1/1 | grep mgr | awk '{print $1}') +expected_profile="docker-default (enforce)" +profile=`kubectl -n ceph exec $MGR_POD -- cat /proc/1/attr/current` +echo "Profile running: $profile" + if test "$profile" != "$expected_profile" + then + if test "$proc_name" == "pause" + then + echo "Root process (pause) can run docker-default, it's ok." + else + echo "$profile is the WRONG PROFILE!!" + return 1 + fi + fi +