You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In latest CNI plugins versions (from 1.0.0), Flannel plugin has been removed. Starting from Kube Flannel version 0.15.0, plugin installation is defined in the manifest:
The path being mounted is /opt/cni/bin with the following label on the host machine:
$ ls -aliZ /opt/cni/
total 24
198 drwxr-xr-x. 3 root root system_u:object_r:usr_t:s0 4096 Feb 22 09:02 .
94 drwxr-xr-x. 6 root root system_u:object_r:usr_t:s0 4096 Feb 22 09:02 ..
199 drwxrwxr-x. 2 root root system_u:object_r:usr_t:s0 4096 Sep 7 19:49 bin
Which leads to the following SELinux error and prevents Flannel to start correctly in enforcing mode:
Feb 21 13:37:14.710000 audit[3217]: AVC avc: denied { write } for pid=3217 comm="cp" name="bin" dev="sda9" ino=198 scontext=system_u:system_r:svirt_lxc_net_t:s0:c229,c794 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
In the waiting of #479, we can patch the current selinux-virt as we already done for Flannel in this commit: flatcar-archive/coreos-overlay@56d2acd to provide /opt/cni(/.*)? a correct context.
Description
In latest CNI plugins versions (from 1.0.0), Flannel plugin has been removed. Starting from Kube Flannel version 0.15.0, plugin installation is defined in the manifest:
The path being mounted is
/opt/cni/bin
with the following label on the host machine:$ ls -aliZ /opt/cni/ total 24 198 drwxr-xr-x. 3 root root system_u:object_r:usr_t:s0 4096 Feb 22 09:02 . 94 drwxr-xr-x. 6 root root system_u:object_r:usr_t:s0 4096 Feb 22 09:02 .. 199 drwxrwxr-x. 2 root root system_u:object_r:usr_t:s0 4096 Sep 7 19:49 bin
Which leads to the following SELinux error and prevents Flannel to start correctly in enforcing mode:
In the waiting of #479, we can patch the current
selinux-virt
as we already done for Flannel in this commit: flatcar-archive/coreos-overlay@56d2acd to provide/opt/cni(/.*)?
a correct context.This patch could be eventually upstreamed to https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/services/container.fc as soon as we integrated and tested this new policy.
Additional information
We can currently mitigate this issue by running a
chcon
command on the folder (see also: flatcar/mantle#297):To reproduce
Run
kubeadm.v1.23.4.flannel.base
on any cloud provider; to assert the issue is fixed: revert the commit wherechcon
is added and re-run the test.NOTE: This commit can be reverted once done: flatcar-archive/flatcar-docs@f77a06f
The text was updated successfully, but these errors were encountered: