Closed JBarbes closed 7 months ago
callumpjackson
commented
7 months ago This looks like a standard metadata annotation on each pod, unless I'm misunderstanding. If so the helm chart includes a metadata.annotation parameter for this purpose.
JBarbes
commented
7 months ago Yes, it is, but the name must be different on each pod, reflecting the name of the pod like:
annotations: container.apparmor.security.beta.kubernetes.io/nativeha-t1-ibm-mq-0: runtime/default
annotations: container.apparmor.security.beta.kubernetes.io/nativeha-t1-ibm-mq-1: runtime/default
annotations: container.apparmor.security.beta.kubernetes.io/nativeha-t1-ibm-mq-2: runtime/default
I tried to use the statefulset name, nativeha-t1-ibm-mq, but got this error from helm upgrade: UPGRADE FAILED: cannot patch \"nativeha-t1-ibm-mq\" with kind StatefulSet: StatefulSet.apps \"nativeha-t1-ibm-mq\" is invalid: spec.template.annotations[container.apparmor.security.beta.kubernetes.io/nativeha-t1-ibm-mq]: Invalid value: \"nativeha-t1-ibm-mq\": container not found"
callumpjackson
commented
7 months ago If it is looking for the container name then this will be qmgr and is the same across all three replicas. It is the pod name that changes in a deployment/statefulset.
JBarbes
commented
7 months ago Yes, I see it. Thanks!
Hi I want to set apparmor policy in annotations. This policy must be defined per container, like:
annotations: container.apparmor.security.beta.kubernetes.io/container-name: runtime/default
This is simple enough for a deployment, but I’m in doubt how to set this for a statefulset, that creates 3 individual MQ containers. Can you help?
rgds John B