From 825e123fb98b7150f6dfa00b609d8a2310707146 Mon Sep 17 00:00:00 2001
From: Prateek Dodda <prateek.reddy.dodda@att.com>
Date: Tue, 4 Feb 2020 10:27:33 -0600
Subject: [PATCH] Add  Docker default AppArmor profile to armada

Change-Id: Iee43dfd56ecf5e4d18f93872b58359851c73d55f
---
 charts/armada/templates/deployment-api.yaml | 1 +
 charts/armada/values.yaml                   | 4 ++++
 tools/gate/playbooks/airskiff-deploy.yaml   | 6 ++++++
 3 files changed, 11 insertions(+)

diff --git a/charts/armada/templates/deployment-api.yaml b/charts/armada/templates/deployment-api.yaml
index 28371c06..a48c8b64 100644
--- a/charts/armada/templates/deployment-api.yaml
+++ b/charts/armada/templates/deployment-api.yaml
@@ -105,6 +105,7 @@ spec:
 {{ $labels | indent 8 }}
       annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "armada-api" "containerNames" (list "armada-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
 {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
diff --git a/charts/armada/values.yaml b/charts/armada/values.yaml
index bbc9160c..4c1e603e 100644
--- a/charts/armada/values.yaml
+++ b/charts/armada/values.yaml
@@ -226,6 +226,10 @@ monitoring:
       port: 8000
 
 pod:
+  mandatory_access_control:
+    type: apparmor
+    armada-api:
+      armada-api: runtime/default
   probes:
     armada:
       api:
diff --git a/tools/gate/playbooks/airskiff-deploy.yaml b/tools/gate/playbooks/airskiff-deploy.yaml
index 3c786c1c..c79e27c0 100644
--- a/tools/gate/playbooks/airskiff-deploy.yaml
+++ b/tools/gate/playbooks/airskiff-deploy.yaml
@@ -31,6 +31,12 @@
       args:
         chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}"
 
+    - name: Setup Apparmor
+      shell: |
+        ./tools/deployment/airskiff/developer/015-setup-apparmor.sh
+      args:
+        chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}"
+
     - name: Deploy Kubernetes with Minikube
       shell: |
         ./tools/deployment/airskiff/developer/010-deploy-k8s.sh