From 8463e61eb7fc38e4b4883716e26639752d64876d Mon Sep 17 00:00:00 2001
From: "KHIYANI, RAHUL (rk0850)" <rk0850@att.com>
Date: Thu, 9 Apr 2020 10:48:23 -0500
Subject: [PATCH] apiserver-webhook: Add Apparmor runtime default to
 apiserver-webhook

Change-Id: Ib2376030a2e694c2b359a4bbffdc0bd968ec6310
---
 charts/apiserver-webhook/templates/deployment.yaml | 1 +
 charts/apiserver-webhook/values.yaml               | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/charts/apiserver-webhook/templates/deployment.yaml b/charts/apiserver-webhook/templates/deployment.yaml
index 628e56bd..f945c911 100644
--- a/charts/apiserver-webhook/templates/deployment.yaml
+++ b/charts/apiserver-webhook/templates/deployment.yaml
@@ -117,6 +117,7 @@ spec:
 {{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "apiserver-webhook" "containerNames" (list "apiserver" "webhook") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
diff --git a/charts/apiserver-webhook/values.yaml b/charts/apiserver-webhook/values.yaml
index d3b89e64..7e285f65 100644
--- a/charts/apiserver-webhook/values.yaml
+++ b/charts/apiserver-webhook/values.yaml
@@ -202,6 +202,11 @@ network_policy:
       - {}
 
 pod:
+  mandatory_access_control:
+    type: apparmor
+    apiserver-webhook:
+      apiserver: runtime/default
+      webhook: runtime/default
   security_context:
     apiserver_webhook:
       pod: