From 67716a7841ba31566983c73e0128f97c129b0bb8 Mon Sep 17 00:00:00 2001 From: Prateek Dodda Date: Thu, 30 Jan 2020 15:12:59 -0600 Subject: [PATCH] Add Docker default AppArmor profile to drydock Change-Id: I50be2f08e69123afbef136683134abffc4e44197 --- .zuul.yaml | 9 ++++----- charts/drydock/templates/deployment.yaml | 1 + charts/drydock/values.yaml | 4 ++++ tools/gate/playbooks/omni_test.yaml | 7 +++++++ 4 files changed, 16 insertions(+), 5 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index 0633bad4..ba839ccc 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -23,14 +23,12 @@ - airship-drydock-chart-build-latest-htk - airship-drydock-docker-build-gate-ubuntu_xenial - airship-drydock-docker-build-gate-ubuntu_bionic - gate: jobs: - airship-drydock-omni-test - airship-drydock-chart-build-gate - airship-drydock-docker-build-gate-ubuntu_xenial - airship-drydock-docker-build-gate-ubuntu_bionic - post: jobs: - airship-drydock-docker-publish-ubuntu_xenial @@ -41,7 +39,7 @@ name: airship-drydock-single-node nodes: - name: primary - label: ubuntu-xenial + label: ubuntu-bionic - job: name: airship-drydock-omni-test @@ -49,7 +47,9 @@ Run a set of lightweight lints and tests (pep8, Helm chart lint, Sphinx build, Python unit tests, Bandit scan) run: tools/gate/playbooks/omni_test.yaml - timeout: 900 + required-projects: + - openstack/openstack-helm-infra + timeout: 3600 nodeset: airship-drydock-single-node - job: @@ -141,7 +141,6 @@ commit: true static: - latest - - secret: name: airship_drydock_quay_creds data: diff --git a/charts/drydock/templates/deployment.yaml b/charts/drydock/templates/deployment.yaml index dfd19ad0..8ea6f206 100644 --- a/charts/drydock/templates/deployment.yaml +++ b/charts/drydock/templates/deployment.yaml @@ -37,6 +37,7 @@ spec: {{ $labels | indent 8 }} annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} +{{ dict "envAll" $envAll "podName" "drydock-api" "containerNames" (list "drydock-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: diff --git a/charts/drydock/values.yaml b/charts/drydock/values.yaml index 4bea69b1..d0abad35 100644 --- a/charts/drydock/values.yaml +++ b/charts/drydock/values.yaml @@ -58,6 +58,10 @@ network: nginx.ingress.kubernetes.io/rewrite-target: / pod: + mandatory_access_control: + type: apparmor + drydock-api: + drydock-api: runtime/default security_context: drydock: pod: diff --git a/tools/gate/playbooks/omni_test.yaml b/tools/gate/playbooks/omni_test.yaml index d62be2e0..d67c3014 100644 --- a/tools/gate/playbooks/omni_test.yaml +++ b/tools/gate/playbooks/omni_test.yaml @@ -47,3 +47,10 @@ target: run_drydock register: result become: true + - name: Setup Apparmor + shell: | + set -xe; + ./tools/deployment/apparmor/001-setup-apparmor-profiles.sh + args: + chdir: "{{ zuul.projects['opendev.org/openstack/openstack-helm-infra'].src_dir }}" + executable: /bin/bash