-
Notifications
You must be signed in to change notification settings - Fork 40k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: don't customize etcd selinux label #49328
kubeadm: don't customize etcd selinux label #49328
Conversation
The original change that added the unconfined label included a comment indicating it won't be needed in the future. See: kubernetes#33555 (comment) That time is now. kubernetes#33663 has landed and means we no longer have to go out of our way to make that work. Removing the label also increases security since there wasn't really a good reason for etcd to be run with such broad selinux privileges. This also will allow kubeadm to avoid errors on distros without an spc_t type, such as Gentoo and Container Linux (at the time of writing at least). Fixes kubernetes/kubeadm#269
/lgtm Thanks @euank for fixing this!! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: euank, luxas Associated issue: 269 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Automatic merge from submit-queue (batch tested with PRs 49328, 49285, 49307, 49127, 49163) |
@luxas - can you please add some release note if you want this cherrypicked? |
@wojtek-t Done. I'm gonna make a cherrypick for this today. |
Commit found in the "release-1.7" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked. |
@euank How are you installing kubeadm? This change breaks kubeadm on Fedora for me. |
spc_t doesn't work everywhere, and this makes it possible to run kubeadm on CoreOS at all. As there is no one owning SELinux support for kubeadm, we require `setenforce 0` for SELinux enabled systems
If you want to own the area, please get in touch with us in sig cluster lifecycle :)
… On 29 Sep 2017, at 00:31, Jason Brooks ***@***.***> wrote:
@euank How are you installing kubeadm? This change breaks kubeadm on Fedora for me.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
@jasonbrooks Can you describe how it broke specifically (preferably including the |
@luxas Fair enough, setenforce 0 is better than nothing. @euank Does it work in enforcing on coreos? I ask how you install it because the kubeadm docs point to rpm or deb, and neither of those is an option on coreos. I'm wondering if there's something about the presumably containerized install mechanism that's working where the package-based install is not.
|
Container Linux defaults to selinux permissive. I don't personally use kubeadm on it now, so I can't answer the other questions related to it, though presumably with selinux enforcing it would hit the same thing here. I was expecting to see It turns out Apologies for the regression; I missed the detail that |
The spc basically just means unconfined, with the idea being that it's better to unconfine particular containers than to unconfine the entire host, which is what you get with setenforce 0. There's some more info on it at https://danwalsh.livejournal.com/74754.html. But, if kubeadm won't work at all on an selinux-enabled host w/o spc_t in its policy, then that's no good. |
This was merged to make it possible to use kubeadm on CoreOS at all. Anything else made it fail. |
I do apologize again for misunderstanding the full impact of this change. |
The original change that added the unconfined label included a comment
indicating it won't be needed in the future.
See: #33555 (comment)
That time is now. #33663
has landed and means we no longer have to go out of our way to make that
work.
Removing the label also increases security since there wasn't really a
good reason for etcd to be run with such broad selinux privileges.
This also will allow kubeadm to avoid errors on distros without an spc_t
type, such as Gentoo and Container Linux (at the time of writing at
least).
Fixes kubernetes/kubeadm#269
Release note: