diff --git a/charts/eric-oss-hello-world-python-app/templates/_helpers.tpl b/charts/eric-oss-hello-world-python-app/templates/_helpers.tpl index ef5a564..8e795df 100644 --- a/charts/eric-oss-hello-world-python-app/templates/_helpers.tpl +++ b/charts/eric-oss-hello-world-python-app/templates/_helpers.tpl @@ -150,6 +150,40 @@ Timezone variable {{- print $timezone | quote -}} {{- end -}} +{{/* +Create container level annotations (apparmorProfile - DR-D1123-127) +*/}} +{{- define "eric-oss-hello-world-python-app.container-annotations" }} + {{- if .Values.appArmorProfile -}} + {{- $appArmorValue := .Values.appArmorProfile.type -}} + {{- if .Values.appArmorProfile.type -}} + {{- if eq .Values.appArmorProfile.type "localhost" -}} + {{- $appArmorValue = printf "%s/%s" .Values.appArmorProfile.type .Values.appArmorProfile.localhostProfile }} + {{- end}} +container.apparmor.security.beta.kubernetes.io/eric-oss-hello-world-python-app: {{ $appArmorValue | quote }} + {{- end}} + {{- end}} +{{- end}} + +{{/* +Seccomp profile section (DR-1123-128) +*/}} +{{- define "eric-oss-hello-world-python-app.seccomp-profile" }} + {{- if .Values.seccompProfile }} + {{- if .Values.seccompProfile.type }} + {{- if eq .Values.seccompProfile.type "Localhost" }} + {{- if .Values.seccompProfile.localhostProfile }} +seccompProfile: + type: {{ .Values.seccompProfile.type }} + localhostProfile: {{ .Values.seccompProfile.localhostProfile }} + {{- end }} + {{- else }} +seccompProfile: + type: {{ .Values.seccompProfile.type }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} {{/* Create image repo path diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index 07e8738..d039d43 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -36,11 +36,13 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} service.cleartext/scraping: "true" annotations: + {{- $container := include "eric-oss-hello-world-python-app.container-annotations" . | fromYaml }} prometheus.io/port: "{{ .Values.service.port }}" prometheus.io/scrape: "{{ .Values.prometheus.scrape }}" prometheus.io/path: "{{ .Values.prometheus.path }}" {{- include "eric-oss-hello-world-python-app.product-info" . | indent 8 }} spec: + automountServiceAccountToken: false {{- if (index .Values "podPriority" "eric-oss-hello-world-python-app" "priorityClassName") }} priorityClassName: {{ (index .Values "podPriority" "eric-oss-hello-world-python-app" "priorityClassName") }} {{- end }} @@ -71,6 +73,7 @@ spec: capabilities: drop: - all + {{- include "eric-oss-hello-world-python-app.seccomp-profile" . | indent 12 }} volumeMounts: - name: config-volume mountPath: /etc/adp diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml index 9a2659f..d7b6087 100644 --- a/charts/eric-oss-hello-world-python-app/values.yaml +++ b/charts/eric-oss-hello-world-python-app/values.yaml @@ -29,6 +29,18 @@ replicaCount: 1 nameOverride: "" fullnameOverride: "" +# choice='unconfined, runtime/default, localhost' [ default= ""] +# Configuration of AppArmor profile type. The following values are possible: +# unconfined - Indicates that there is no profile loaded. +# runtime/default - Applies the default profile of the container engine. +# localhost - Applies a specific profile loaded on the host +appArmorProfile: + type: "" + localhostProfile: +seccompProfile: + type: "RuntimeDefault" + localhostProfile: + service: type: ClusterIP port: 8050