Skip to content
This repository was archived by the owner on Jan 11, 2023. It is now read-only.

Commit

Permalink
mount /sbin/apparmor_parser if PodSecurityPolicy is enabled (#2320)
Browse files Browse the repository at this point in the history 
* mount /sbin/apparmor_parser if PSP

* this is the correct kubelet service file

* this is the correct sed command

* /sbin/apparmor_parser already exists
  • Loading branch information
@jackfrancis
jackfrancis authored Feb 28, 2018
1 parent 26ad11a commit 853b37e
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 0 deletions.
1 change: 1 addition & 0 deletions parts/k8s/artifacts/kuberneteskubelet.service
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ ExecStart=/usr/bin/docker run \
--volume=/sys:/sys:ro \
--volume=/var/run:/var/run:rw \
--volume=/var/lib/cni/:/var/lib/cni:rw \
--volume=/sbin/apparmor_parser/:/sbin/apparmor_parser:rw \
--volume=/var/lib/docker/:/var/lib/docker:rw \
--volume=/var/lib/containers/:/var/lib/containers:rw \
--volume=/var/lib/kubelet/:/var/lib/kubelet:shared \
Expand Down
3 changes: 3 additions & 0 deletions parts/k8s/kubernetesagentcustomdata.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,9 @@ coreos:
[Service]
ExecStart=/opt/azure/containers/provision-setup.sh
{{else}}
{{if not EnablePodSecurityPolicy}}
sed -i "s|apparmor_parser|d|g" "/etc/systemd/system/kubelet.service"
{{end}}
runcmd:
- echo `date`,`hostname`, startruncmd>>/opt/m
# the first arg is the number of retries, the second arg is the wait duration between two retries and the rest of the args are the cmd to run
Expand Down
3 changes: 3 additions & 0 deletions parts/k8s/kubernetesmastercustomdata.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,9 @@ MASTER_ARTIFACTS_CONFIG_PLACEHOLDER
sed -i "s|<kubernetesControllerManagerConfig>|{{GetK8sRuntimeConfigKeyVals .OrchestratorProfile.KubernetesConfig.ControllerManagerConfig}}|g" "/etc/kubernetes/manifests/kube-controller-manager.yaml"
sed -i "s|<kubernetesAPIServerConfig>|{{GetK8sRuntimeConfigKeyVals .OrchestratorProfile.KubernetesConfig.APIServerConfig}}|g" "/etc/kubernetes/manifests/kube-apiserver.yaml"
sed -i "s|<kubernetesAPIServerIP>|{{WrapAsVariable "kubernetesAPIServerIP"}}|g" "/etc/kubernetes/manifests/kube-apiserver.yaml"
{{if not EnablePodSecurityPolicy}}
sed -i "s|apparmor_parser|d|g" "/etc/systemd/system/kubelet.service"
{{end}}

- path: "/opt/azure/containers/provision.sh"
permissions: "0744"
Expand Down
3 changes: 3 additions & 0 deletions pkg/acsengine/engine.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1572,6 +1572,9 @@ func (t *TemplateGenerator) getTemplateFuncMap(cs *api.ContainerService) templat
}
return false
},
"EnablePodSecurityPolicy": func() bool {
return helpers.IsTrueBoolPointer(cs.Properties.OrchestratorProfile.KubernetesConfig.EnablePodSecurityPolicy)
},
// inspired by http://stackoverflow.com/questions/18276173/calling-a-template-with-several-pipeline-parameters/18276968#18276968
"dict": func(values ...interface{}) (map[string]interface{}, error) {
if len(values)%2 != 0 {
Expand Down

0 comments on commit 853b37e

Please sign in to comment.