Add apparmor profile to apiserver and etcd jobs

Change-Id: I8bed3213868b45a438e5ae5929bca8bef699a503

charts/apiserver/templates/job-key-rotate.yaml

@@ -91,6 +91,7 @@ spec:
     metadata:
       annotations:
         {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "kube-apiserver" "containerNames" (list "init" "apiserver-key-rotate") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
       labels:
 {{ tuple $envAll "kube-apiserver" "key-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:

charts/apiserver/values.yaml

@@ -267,6 +267,9 @@ pod:
     type: apparmor
     kubernetes_apiserver_anchor:
       anchor: runtime/default
+    kube-apiserver:
+      init: runtime/default
+      apiserver-key-rotate: runtime/default
   security_context:
     kubernetes_apiserver_anchor:
       pod:

charts/etcd/templates/cron-job-etcd-backup.yaml

@@ -65,6 +65,8 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll $applicationName "etcd-anchor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "etcd-backup" "containerNames" (list "etcd-backup") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
     spec:
       template:
         spec:

charts/etcd/templates/etc/_kubernetes-etcd.yaml.tpl

@@ -50,7 +50,7 @@ metadata:
 {{ tuple $envAll $applicationName "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
   annotations:
     {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
-{{- dict "envAll" $envAll "podName" .Values.service.name "containerNames" (list "etcd") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+{{- dict "envAll" $envAll "podName" "etcd" "containerNames" (list "etcd") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
 {{ dict "envAll" $envAll "application" "etcd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
   hostNetwork: true

charts/etcd/templates/tests/test-etcd-health.yaml

@@ -27,7 +27,7 @@ metadata:
     "helm.sh/hook": "test-success"
     scheduler.alpha.kubernetes.io/critical-pod: ''
     {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
-{{ dict "envAll" $envAll "podName" "kubernetes-etcd" "containerNames" (list "kubernetes-etcd-etcd-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+{{ dict "envAll" $envAll "podName" "etcd-test" "containerNames" (list "etcd-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
   labels:
 {{ tuple $envAll $applicationName "etcd-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
 spec:
@@ -57,7 +57,7 @@ spec:
       operator: Exists
       effect: NoSchedule
   containers:
-    - name: kubernetes-etcd-etcd-test
+    - name: etcd-test
       env:
         - name: ETCDCTL_API
           value: "{{ .Values.etcd.etcdctl_api }}"

charts/etcd/values.yaml

@@ -186,12 +186,14 @@ pod:
   mandatory_access_control:
     type: apparmor
     # requires override for a specific use case e.g. calico-etcd or kubernetes-etcd
-    example-etcd:
+    etcd:
-      etcd: localhost/docker-default
+      etcd: runtime/default
     etcd-anchor:
       etcdctl: runtime/default
-    kubernetes-etcd:
+    etcd-test:
-      kubernetes-etcd-etcd-test: runtime/default
+      etcd-test: runtime/default
+    etcd-backup:
+      etcd-backup: runtime/default
   env:
     etcd:
       # can be used for tuning, e.g. https://etcd.io/docs/v3.4.0/tuning/