Skip to content
This repository has been archived by the owner on May 30, 2023. It is now read-only.

sec-policy/selinux-virt: add rules to run flannel with SELinux enforced mode #1181

Merged
merged 3 commits into from
Aug 12, 2021
Merged

sec-policy/selinux-virt: add rules to run flannel with SELinux enforced mode #1181

merged 3 commits into from
Aug 12, 2021

Conversation

tormath1
Copy link
Contributor

@tormath1 tormath1 commented Aug 11, 2021
edited
Loading

In this PR, we provide another virt rules to have flannel correctly running with enforced SELinux.

How to use

emerge-amd64-usr -av sec-policy/selinux-virt
// run SELinux in enforced mode
// run kubernetes with Flannel as CNI

Testing done

    --- PASS: kubeadm.v1.21.0.flannel.base/node_readiness (30.97s)
    --- PASS: kubeadm.v1.21.0.flannel.base/nginx_deployment (21.64s)

Closes: flatcar/Flatcar#476

Also related to: flannel-io/flannel#945, flannel-io/flannel#709

Note

@kinvolk/flatcar-maintainers how should we proceed with the following commits ? Should I squash them into one single commit sec-policy/selinux-virt: apply flatcar changes with a merge of the bodies ?

Mathieu Tortuyaux added 3 commits August 11, 2021 16:24
sec-policy/selinux-virt: fix flannel CNI creation
78ad350 
flannel uses an init container to pull CNI from container to the host
system in `/etc/cni`.
With SELinux, the permission is denied because `/etc/cni` is labelled
with `etc_t` so it can't be access by Docker since it expects `svirt_lxc_file_t`.

Using `filetrans_pattern` we can define a mechanism to create `/etc/cni`
with the correct labels even if it's not yet created - which avoid to
run `restorecon` on `/etc/cni`.

Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
sec-policy/selinux-virt: allow flanneld to load module
c0dc45d 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
sec-policy/selinux-virt: allow flannel to write into /run
56d2acd 
flannel will write into /run/flannel/... so we need to provide
correct labelling for dir created by docker daemon

Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
@tormath1 tormath1 self-assigned this Aug 11, 2021
This was referenced Aug 11, 2021
Merged
Merged
@tormath1 tormath1 changed the title [wip] sec-policy/selinux-virt: add rules to run flannel with SELinux enforced mode sec-policy/selinux-virt: add rules to run flannel with SELinux enforced mode Aug 12, 2021
@tormath1 tormath1 marked this pull request as ready for review August 12, 2021 07:31
jepio
jepio reviewed Aug 12, 2021
View reviewed changes
Copy link
Contributor

@jepio jepio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not super familiar with selinux but it fixes the test and doesn't look suspicious to me 👍
I would keep it as different commits that way each "diff" has a matching description.

Maybe someone could take a second look?

@tormath1
Copy link
Contributor Author

@jepio I thought the same - but when we will upgrade in a couple of months SELinux we will need to chase the "flatcar changes commit" for this package. 🤔

Otherwise I can squash all into one commit apply flatcar change and move the body of each commits as a comment in the relevant file.

@tormath1 tormath1 merged commit 903225c into main Aug 12, 2021
@tormath1 tormath1 deleted the tormath1/fix-flannel-selinux branch August 12, 2021 13:37
@tormath1
Copy link
Contributor Author

cherry-picked to:

  • flatcar-2955
  • flatcar-2942

This was referenced Aug 13, 2021
Merged
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jepio jepio jepio left review comments

@pothos pothos pothos approved these changes

Assignees

@tormath1 tormath1

Labels
alpha beta main
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

kubernetes: flannel init container is crashing
3 participants
@tormath1 @pothos @jepio