diff --git a/ceph-client/templates/deployment-checkdns.yaml b/ceph-client/templates/deployment-checkdns.yaml
index 9a64285d1c..14bc97033d 100644
--- a/ceph-client/templates/deployment-checkdns.yaml
+++ b/ceph-client/templates/deployment-checkdns.yaml
@@ -68,6 +68,7 @@ spec:
{{ tuple $envAll "ceph" "checkdns" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-checkdns" "containerNames" (list "ceph-checkdns" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "checkdns" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
diff --git a/ceph-client/templates/deployment-mds.yaml b/ceph-client/templates/deployment-mds.yaml
index 3406736047..5de290261c 100644
--- a/ceph-client/templates/deployment-mds.yaml
+++ b/ceph-client/templates/deployment-mds.yaml
@@ -43,7 +43,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "ceph-mds" "containerNames" (list "ceph-mds") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-mds" "containerNames" (list "ceph-mds" "ceph-init-dirs") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "mds" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
diff --git a/ceph-client/templates/deployment-mgr.yaml b/ceph-client/templates/deployment-mgr.yaml
index b4fd216ac5..1c785af4b3 100644
--- a/ceph-client/templates/deployment-mgr.yaml
+++ b/ceph-client/templates/deployment-mgr.yaml
@@ -43,7 +43,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "ceph-mgr" "containerNames" (list "ceph-mgr") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-mgr" "containerNames" (list "ceph-mgr" "ceph-init-dirs") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "mgr" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
diff --git a/ceph-client/templates/job-rbd-pool.yaml b/ceph-client/templates/job-rbd-pool.yaml
index 7e5e2d6beb..55a3f77e03 100644
--- a/ceph-client/templates/job-rbd-pool.yaml
+++ b/ceph-client/templates/job-rbd-pool.yaml
@@ -32,6 +32,8 @@ spec:
name: ceph-rbd-pool
labels:
{{ tuple $envAll "ceph" "rbd-pool" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ dict "envAll" $envAll "podName" "ceph-rbd-pool" "containerNames" (list "ceph-rbd-pool" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "rbd_pool" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
diff --git a/ceph-client/values_overrides/apparmor.yaml b/ceph-client/values_overrides/apparmor.yaml
new file mode 100644
index 0000000000..f4a76523c6
--- /dev/null
+++ b/ceph-client/values_overrides/apparmor.yaml
@@ -0,0 +1,16 @@
+pod:
+ mandatory_access_control:
+ type: apparmor
+ ceph-checkdns:
+ ceph-checkdns: runtime/default
+ init: runtime/default
+ ceph-mds:
+ ceph-mds: runtime/default
+ ceph-init-dirs: runtime/default
+ ceph-mgr:
+ ceph-mgr: runtime/default
+ ceph-init-dirs: runtime/default
+ ceph-rbd-pool:
+ ceph-rbd-pool: runtime/default
+ init: runtime/default
+
diff --git a/ceph-mon/templates/daemonset-mon.yaml b/ceph-mon/templates/daemonset-mon.yaml
index 16daae5129..db273f9265 100644
--- a/ceph-mon/templates/daemonset-mon.yaml
+++ b/ceph-mon/templates/daemonset-mon.yaml
@@ -68,6 +68,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "ceph-mon" "containerNames" (list "ceph-mon" "ceph-init-dirs" "ceph-log-ownership") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "mon" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
diff --git a/ceph-mon/templates/deployment-moncheck.yaml b/ceph-mon/templates/deployment-moncheck.yaml
index 4a9e869a9e..fb4892de29 100644
--- a/ceph-mon/templates/deployment-moncheck.yaml
+++ b/ceph-mon/templates/deployment-moncheck.yaml
@@ -39,7 +39,7 @@ spec:
{{ tuple $envAll "ceph" "moncheck" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
-{{ dict "envAll" $envAll "podName" "ceph-mon" "containerNames" (list "ceph-mon") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-mon-check" "containerNames" (list "ceph-mon" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "moncheck" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
diff --git a/ceph-mon/templates/job-storage-admin-keys.yaml b/ceph-mon/templates/job-storage-admin-keys.yaml
index a069213cd7..c13cad0805 100644
--- a/ceph-mon/templates/job-storage-admin-keys.yaml
+++ b/ceph-mon/templates/job-storage-admin-keys.yaml
@@ -58,6 +58,11 @@ spec:
metadata:
labels:
{{ tuple $envAll "ceph" "storage-keys-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "ceph-storage-keys-generator" "containerNames" (list "ceph-storage-keys-generator" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "storage_keys_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
diff --git a/ceph-mon/values_overrides/apparmor.yaml b/ceph-mon/values_overrides/apparmor.yaml
new file mode 100644
index 0000000000..8fb4e088d6
--- /dev/null
+++ b/ceph-mon/values_overrides/apparmor.yaml
@@ -0,0 +1,15 @@
+pod:
+ mandatory_access_control:
+ type: apparmor
+ ceph-mon:
+ ceph-init-dirs: runtime/default
+ ceph-mon: runtime/default
+ ceph-log-ownership: runtime/default
+ ceph-mon-check:
+ ceph-mon: runtime/default
+ init: runtime/default
+ ceph-bootstrap:
+ ceph-bootstrap: runtime/default
+ ceph-storage-keys-generator:
+ ceph-storage-keys-generator: runtime/default
+ init: runtime/default
diff --git a/ceph-osd/templates/daemonset-osd.yaml b/ceph-osd/templates/daemonset-osd.yaml
index 8ec6c3149d..2349bc028d 100644
--- a/ceph-osd/templates/daemonset-osd.yaml
+++ b/ceph-osd/templates/daemonset-osd.yaml
@@ -41,7 +41,7 @@ spec:
{{ tuple $envAll "ceph" "osd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "ceph-osd-default" "containerNames" (list "ceph-osd-default") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-osd-default" "containerNames" (list "ceph-osd-default" "ceph-init-dirs" "ceph-log-ownership" "osd-init" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "osd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
diff --git a/ceph-osd/values_overrides/apparmor.yaml b/ceph-osd/values_overrides/apparmor.yaml
new file mode 100644
index 0000000000..fe69ae85c8
--- /dev/null
+++ b/ceph-osd/values_overrides/apparmor.yaml
@@ -0,0 +1,9 @@
+pod:
+ mandatory_access_control:
+ type: apparmor
+ ceph-osd-default:
+ ceph-osd-default: runtime/default
+ ceph-init-dirs: runtime/default
+ ceph-log-ownership: runtime/default
+ osd-init: runtime/default
+ init: runtime/default
diff --git a/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml b/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml
index 316f697cbf..f848e77abe 100644
--- a/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml
+++ b/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml
@@ -152,6 +152,7 @@ spec:
{{ tuple $envAll "cephfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-cephfs-provisioner" "containerNames" (list "ceph-cephfs-provisioner" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
diff --git a/ceph-provisioners/templates/deployment-rbd-provisioner.yaml b/ceph-provisioners/templates/deployment-rbd-provisioner.yaml
index df9dc30c40..fbb4ec7463 100644
--- a/ceph-provisioners/templates/deployment-rbd-provisioner.yaml
+++ b/ceph-provisioners/templates/deployment-rbd-provisioner.yaml
@@ -142,6 +142,7 @@ spec:
{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-rbd-provisioner" "containerNames" (list "ceph-rbd-provisioner" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
diff --git a/ceph-provisioners/templates/job-cephfs-client-key.yaml b/ceph-provisioners/templates/job-cephfs-client-key.yaml
index f166ccb2f3..a2233e5aac 100644
--- a/ceph-provisioners/templates/job-cephfs-client-key.yaml
+++ b/ceph-provisioners/templates/job-cephfs-client-key.yaml
@@ -89,6 +89,8 @@ spec:
metadata:
labels:
{{ tuple $envAll "ceph" "cephfs-client-key-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ dict "envAll" $envAll "podName" "ceph-cephfs-client-key-generator" "containerNames" (list "ceph-storage-keys-generator") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "cephfs_client_key_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
diff --git a/ceph-provisioners/values_overrides/apparmor.yaml b/ceph-provisioners/values_overrides/apparmor.yaml
new file mode 100644
index 0000000000..055724ebb9
--- /dev/null
+++ b/ceph-provisioners/values_overrides/apparmor.yaml
@@ -0,0 +1,11 @@
+pod:
+ mandatory_access_control:
+ type: apparmor
+ ceph-cephfs-provisioner:
+ ceph-cephfs-provisioner: runtime/default
+ init: runtime/default
+ ceph-cephfs-client-key-generator:
+ ceph-storage-keys-generator: runtime/default
+ ceph-rbd-provisioner:
+ ceph-rbd-provisioner: runtime/default
+ init: runtime/default
diff --git a/tools/deployment/common/get-values-overrides.sh b/tools/deployment/common/get-values-overrides.sh
index c497e30e0b..8e685ed02e 100755
--- a/tools/deployment/common/get-values-overrides.sh
+++ b/tools/deployment/common/get-values-overrides.sh
@@ -19,7 +19,7 @@ HELM_CHART="$1"
: "${HELM_CHART_ROOT_PATH:="../openstack-helm-infra"}"
: "${CONTAINER_DISTRO_NAME:="ubuntu"}"
: "${CONTAINER_DISTRO_VERSION:="xenial"}"
-: "${FEATURE_GATES:=""}"
+: "${FEATURE_GATES:="apparmor"}"
OSH_INFRA_FEATURE_MIX="${FEATURE_GATES},${CONTAINER_DISTRO_NAME}_${CONTAINER_DISTRO_VERSION},${CONTAINER_DISTRO_NAME}"
function echoerr () {