From 3332968caa1d100d8a46687663c445353c8a6e8f Mon Sep 17 00:00:00 2001
From: "KHIYANI, RAHUL (rk0850)" <rk0850@att.com>
Date: Tue, 11 Aug 2020 09:33:20 -0500
Subject: [PATCH] Add apparmor profile to keystone-webhook container

Change-Id: I583c4c01e2c92c16705420fe726e3e7648a16705
---
 kubernetes-keystone-webhook/templates/deployment.yaml | 1 +
 kubernetes-keystone-webhook/values.yaml               | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/kubernetes-keystone-webhook/templates/deployment.yaml b/kubernetes-keystone-webhook/templates/deployment.yaml
index 02ffea48..ed052b50 100644
--- a/kubernetes-keystone-webhook/templates/deployment.yaml
+++ b/kubernetes-keystone-webhook/templates/deployment.yaml
@@ -36,6 +36,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "kubernetes-keystone-webhook" "containerNames" (list "kubernetes-keystone-webhook") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       containers:
diff --git a/kubernetes-keystone-webhook/values.yaml b/kubernetes-keystone-webhook/values.yaml
index 19ec7ad3..4a9848e3 100644
--- a/kubernetes-keystone-webhook/values.yaml
+++ b/kubernetes-keystone-webhook/values.yaml
@@ -56,6 +56,10 @@ pod:
         kubernetes_keystone_webhook:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+  mandatory_access_control:
+    type: apparmor
+    kubernetes-keystone-webhook:
+      kubernetes-keystone-webhook: runtime/default
   affinity:
     anti:
       type: