Add apparmor profile to apiserver and etcd jobs
Change-Id: I8bed3213868b45a438e5ae5929bca8bef699a503
This commit is contained in:
parent
c6da9d64c5
commit
b51eb9802d
|
@ -91,6 +91,7 @@ spec:
|
|||
metadata:
|
||||
annotations:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
||||
{{ dict "envAll" $envAll "podName" "kube-apiserver" "containerNames" (list "init" "apiserver-key-rotate") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
labels:
|
||||
{{ tuple $envAll "kube-apiserver" "key-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
|
|
|
@ -267,6 +267,9 @@ pod:
|
|||
type: apparmor
|
||||
kubernetes_apiserver_anchor:
|
||||
anchor: runtime/default
|
||||
kube-apiserver:
|
||||
init: runtime/default
|
||||
apiserver-key-rotate: runtime/default
|
||||
security_context:
|
||||
kubernetes_apiserver_anchor:
|
||||
pod:
|
||||
|
|
|
@ -65,6 +65,8 @@ spec:
|
|||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll $applicationName "etcd-anchor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
annotations:
|
||||
{{ dict "envAll" $envAll "podName" "etcd-backup" "containerNames" (list "etcd-backup") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
|
|
|
@ -50,7 +50,7 @@ metadata:
|
|||
{{ tuple $envAll $applicationName "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
annotations:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
||||
{{- dict "envAll" $envAll "podName" .Values.service.name "containerNames" (list "etcd") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
|
||||
{{- dict "envAll" $envAll "podName" "etcd" "containerNames" (list "etcd") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "etcd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
|
||||
hostNetwork: true
|
||||
|
|
|
@ -27,7 +27,7 @@ metadata:
|
|||
"helm.sh/hook": "test-success"
|
||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
||||
{{ dict "envAll" $envAll "podName" "kubernetes-etcd" "containerNames" (list "kubernetes-etcd-etcd-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
|
||||
{{ dict "envAll" $envAll "podName" "etcd-test" "containerNames" (list "etcd-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
|
||||
labels:
|
||||
{{ tuple $envAll $applicationName "etcd-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
spec:
|
||||
|
@ -57,7 +57,7 @@ spec:
|
|||
operator: Exists
|
||||
effect: NoSchedule
|
||||
containers:
|
||||
- name: kubernetes-etcd-etcd-test
|
||||
- name: etcd-test
|
||||
env:
|
||||
- name: ETCDCTL_API
|
||||
value: "{{ .Values.etcd.etcdctl_api }}"
|
||||
|
|
|
@ -186,12 +186,14 @@ pod:
|
|||
mandatory_access_control:
|
||||
type: apparmor
|
||||
# requires override for a specific use case e.g. calico-etcd or kubernetes-etcd
|
||||
example-etcd:
|
||||
etcd: localhost/docker-default
|
||||
etcd:
|
||||
etcd: runtime/default
|
||||
etcd-anchor:
|
||||
etcdctl: runtime/default
|
||||
kubernetes-etcd:
|
||||
kubernetes-etcd-etcd-test: runtime/default
|
||||
etcd-test:
|
||||
etcd-test: runtime/default
|
||||
etcd-backup:
|
||||
etcd-backup: runtime/default
|
||||
env:
|
||||
etcd:
|
||||
# can be used for tuning, e.g. https://etcd.io/docs/v3.4.0/tuning/
|
||||
|
|
Loading…
Reference in New Issue