Closed JBarbes closed 7 months ago
This looks like a standard metadata annotation on each pod, unless I'm misunderstanding. If so the helm chart includes a metadata.annotation parameter for this purpose.
Yes, it is, but the name must be different on each pod, reflecting the name of the pod like:
annotations: container.apparmor.security.beta.kubernetes.io/nativeha-t1-ibm-mq-0: runtime/default
annotations: container.apparmor.security.beta.kubernetes.io/nativeha-t1-ibm-mq-1: runtime/default
annotations: container.apparmor.security.beta.kubernetes.io/nativeha-t1-ibm-mq-2: runtime/default
I tried to use the statefulset name, nativeha-t1-ibm-mq, but got this error from helm upgrade: UPGRADE FAILED: cannot patch \"nativeha-t1-ibm-mq\" with kind StatefulSet: StatefulSet.apps \"nativeha-t1-ibm-mq\" is invalid: spec.template.annotations[container.apparmor.security.beta.kubernetes.io/nativeha-t1-ibm-mq]: Invalid value: \"nativeha-t1-ibm-mq\": container not found"
If it is looking for the container name then this will be qmgr
and is the same across all three replicas. It is the pod name that changes in a deployment/statefulset.
Yes, I see it. Thanks!
Hi I want to set apparmor policy in annotations. This policy must be defined per container, like:
annotations: container.apparmor.security.beta.kubernetes.io/container-name: runtime/default
This is simple enough for a deployment, but I’m in doubt how to set this for a statefulset, that creates 3 individual MQ containers. Can you help?
rgds John B