Browse Source

Merge "Add selinux_mode label"

tags/10.0.0.0rc1
Zuul 3 months ago
committed by Gerrit Code Review
parent
commit
3b9f06726d
13 changed files with 119 additions and 7 deletions
  1. +19
    -1
      doc/source/user/index.rst
  2. +2
    -3
      magnum/drivers/common/templates/kubernetes/fragments/disable-selinux.sh
  3. +1
    -0
      magnum/drivers/heat/k8s_fedora_template_def.py
  4. +10
    -0
      magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
  5. +9
    -2
      magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
  6. +9
    -1
      magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
  7. +22
    -0
      magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml
  8. +10
    -0
      magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
  9. +6
    -0
      magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
  10. +6
    -0
      magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml
  11. +16
    -0
      magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json
  12. +4
    -0
      magnum/tests/unit/drivers/test_template_definition.py
  13. +5
    -0
      releasenotes/notes/support-selinux-mode-5bd2a3ece23a2caa.yaml

+ 19
- 1
doc/source/user/index.rst View File

@@ -449,6 +449,10 @@ the table are linked to more details elsewhere in the user guide.
| `use_podman`_ | - true | see below |
| | - false | |
+---------------------------------------+--------------------+---------------+
| `selinux_mode`_ | - enforcing | see below |
| | - permissive | |
| | - disabled | |
+---------------------------------------+--------------------+---------------+
| `container_runtime`_ | - "" | "" |
| | - containerd | |
+---------------------------------------+--------------------+---------------+
@@ -1234,7 +1238,7 @@ _`kube_tag`
container tag for `Fedora Atomic
<https://hub.docker.com/r/openstackmagnum/kubernetes-apiserver/tags/>`_ or
`Fedora CoreOS and Fedora Atomic (with use_podman=true label)
<https://github.com/kubernetes/kubernetes/releases>_`. If unset, the current
<https://github.com/kubernetes/kubernetes/releases>`_. If unset, the current
Magnum version's default Kubernetes release is installed. `Take a look at
the Wiki for a compatibility matrix between Kubernetes and Magnum Releases
<https://wiki.openstack.org/wiki/Magnum#Compatibility_Matrix>`_.
@@ -1526,6 +1530,20 @@ _`use_podman`
necessary since v1.16 dropped the --containerized flag in kubelet.
https://github.com/kubernetes/kubernetes/pull/80043/files

_`selinux_mode`
Choose `SELinux mode between enforcing, permissive and disabled
<http://man7.org/linux/man-pages/man5/selinux_config.5.html>`_. This label
is currently only relevant for k8s_fedora drivers.

k8s_fedora_atomic_v1 driver defaults to selinux_mode=permissive because this
was the only way atomic containers were able to start Kubernetes services. On
the other hand, if the opt-in use_podman=true label is supplied,
selinux_mode=enforcing is supported. Note that if selinux_mode=disabled is
chosen, this only takes full effect once the instances are manually rebooted
but they will be set to permissive mode in the meantime.

k8s_fedora_coreos_v1 driver defaults to selinux_mode=enforcing.

_`container_runtime`
The container runtime to use. Empty value means, use docker from the
host. Since ussuri, apart from empty (host-docker), containerd is also


+ 2
- 3
magnum/drivers/common/templates/kubernetes/fragments/disable-selinux.sh View File

@@ -1,8 +1,7 @@
#cloud-boothook
#!/bin/sh

setenforce 0

setenforce `[[ "$SELINUX_MODE" == "enforcing" ]] && echo 1 || echo 0`
sed -i '
/^SELINUX=/ s/=.*/=permissive/
/^SELINUX=/ s/=.*/=$SELINUX_MODE/
' /etc/selinux/config

+ 1
- 0
magnum/drivers/heat/k8s_fedora_template_def.py View File

@@ -102,6 +102,7 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition):
'prometheus_adapter_enabled',
'prometheus_adapter_chart_tag',
'prometheus_adapter_configmap',
'selinux_mode',
'tiller_enabled',
'tiller_tag',
'tiller_namespace',


+ 10
- 0
magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml View File

@@ -856,6 +856,14 @@ parameters:
default:
false

selinux_mode:
type: string
description: >
Choose SELinux mode
default: "permissive"
constraints:
- allowed_values: ["enforcing", "permissive", "disabled"]

kube_image_digest:
type: string
description: >
@@ -1221,6 +1229,7 @@ resources:
ostree_remote: {get_param: ostree_remote}
ostree_commit: {get_param: ostree_commit}
use_podman: {get_param: use_podman}
selinux_mode: {get_param: selinux_mode}
container_runtime: {get_param: container_runtime}
containerd_version: {get_param: containerd_version}
containerd_tarball_url: {get_param: containerd_tarball_url}
@@ -1393,6 +1402,7 @@ resources:
ostree_remote: {get_param: ostree_remote}
ostree_commit: {get_param: ostree_commit}
use_podman: {get_param: use_podman}
selinux_mode: {get_param: selinux_mode}
container_runtime: {get_param: container_runtime}
containerd_version: {get_param: containerd_version}
containerd_tarball_url: {get_param: containerd_tarball_url}


+ 9
- 2
magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml View File

@@ -604,6 +604,11 @@ parameters:
description: >
if true, run system containers for kubernetes, etcd and heat-agent

selinux_mode:
type: string
description: >
Choose SELinux mode

container_runtime:
type: string
description: The container runtime to install
@@ -635,7 +640,6 @@ conditions:
- get_param: boot_volume_size
- 0


resources:
######################################################################
#
@@ -678,7 +682,10 @@ resources:
$HTTP_PROXY: {get_param: http_proxy}
$HTTPS_PROXY: {get_param: https_proxy}
$NO_PROXY: {get_param: no_proxy}
- get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh
- str_replace:
template: {get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh}
params:
$SELINUX_MODE: {get_param: selinux_mode}

master_config:
type: OS::Heat::SoftwareConfig


+ 9
- 1
magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml View File

@@ -327,6 +327,11 @@ parameters:
description: >
if true, run system containers for kubernetes, etcd and heat-agent

selinux_mode:
type: string
description: >
Choose SELinux mode

container_runtime:
type: string
description: The container runtime to install
@@ -376,7 +381,10 @@ resources:
$HTTP_PROXY: {get_param: http_proxy}
$HTTPS_PROXY: {get_param: https_proxy}
$NO_PROXY: {get_param: no_proxy}
- get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh
- str_replace:
template: {get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh}
params:
$SELINUX_MODE: {get_param: selinux_mode}

######################################################################
#


+ 22
- 0
magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml View File

@@ -35,6 +35,27 @@ storage:
group:
name: root
files:
- path: /etc/selinux/config
# 420 (decimal) == 644 (octal)
mode: 420
group:
name: root
user:
name: root
contents:
inline: |
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=__SELINUX_MODE__
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
overwrite: true
- path: /etc/containers/libpod.conf
# 420 (decimal) == 644 (octal)
mode: 420
@@ -58,6 +79,7 @@ storage:
contents:
inline: |
__HOSTNAME__
overwrite: true
- path: /etc/pki/ca-trust/source/anchors/openstack-ca.pem
# 420 (decimal) == 644 (octal)
mode: 420


+ 10
- 0
magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml View File

@@ -858,6 +858,14 @@ parameters:
constraints:
- allowed_values: [true]

selinux_mode:
type: string
description: >
Choose SELinux mode
default: "enforcing"
constraints:
- allowed_values: ["enforcing", "permissive", "disabled"]

kube_image_digest:
type: string
description: >
@@ -1230,6 +1238,7 @@ resources:
ostree_remote: {get_param: ostree_remote}
ostree_commit: {get_param: ostree_commit}
use_podman: {get_param: use_podman}
selinux_mode: {get_param: selinux_mode}
kube_image_digest: {get_param: kube_image_digest}
container_runtime: {get_param: container_runtime}
containerd_version: {get_param: containerd_version}
@@ -1404,6 +1413,7 @@ resources:
ostree_remote: {get_param: ostree_remote}
ostree_commit: {get_param: ostree_commit}
use_podman: {get_param: use_podman}
selinux_mode: {get_param: selinux_mode}
container_runtime: {get_param: container_runtime}
containerd_version: {get_param: containerd_version}
containerd_tarball_url: {get_param: containerd_tarball_url}


+ 6
- 0
magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml View File

@@ -608,6 +608,11 @@ parameters:
description: >
If true, run system containers for kubernetes, etcd and heat-agent

selinux_mode:
type: string
description: >
Choose SELinux mode

kube_image_digest:
type: string
description: >
@@ -691,6 +696,7 @@ resources:
__HTTP_PROXY__: {get_param: http_proxy}
__HTTPS_PROXY__: {get_param: https_proxy}
__NO_PROXY__: {get_param: no_proxy}
__SELINUX_MODE__: {get_param: selinux_mode}

master_config:
type: OS::Heat::SoftwareConfig


+ 6
- 0
magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml View File

@@ -329,6 +329,11 @@ parameters:
description: >
If true, run system containers for kubernetes, etcd and heat-agent

selinux_mode:
type: string
description: >
Choose SELinux mode

container_runtime:
type: string
description: The container runtime to install
@@ -381,6 +386,7 @@ resources:
__HTTP_PROXY__: {get_param: http_proxy}
__HTTPS_PROXY__: {get_param: https_proxy}
__NO_PROXY__: {get_param: no_proxy}
__SELINUX_MODE__: {get_param: selinux_mode}

######################################################################
#


+ 16
- 0
magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json View File

@@ -46,6 +46,21 @@
}
],
"files": [
{
"group": {
"name": "root"
},
"overwrite": true,
"path": "/etc/selinux/config",
"user": {
"name": "root"
},
"contents": {
"source": "data:,%23%20This%20file%20controls%20the%20state%20of%20SELinux%20on%20the%20system.%0A%23%20SELINUX%3D%20can%20take%20one%20of%20these%20three%20values%3A%0A%23%20%20%20%20%20enforcing%20-%20SELinux%20security%20policy%20is%20enforced.%0A%23%20%20%20%20%20permissive%20-%20SELinux%20prints%20warnings%20instead%20of%20enforcing.%0A%23%20%20%20%20%20disabled%20-%20No%20SELinux%20policy%20is%20loaded.%0ASELINUX%3D__SELINUX_MODE__%0A%23%20SELINUXTYPE%3D%20can%20take%20one%20of%20these%20three%20values%3A%0A%23%20%20%20%20%20targeted%20-%20Targeted%20processes%20are%20protected%2C%0A%23%20%20%20%20%20minimum%20-%20Modification%20of%20targeted%20policy.%20Only%20selected%20processes%20are%20protected.%0A%23%20%20%20%20%20mls%20-%20Multi%20Level%20Security%20protection.%0ASELINUXTYPE%3Dtargeted%0A",
"verification": {}
},
"mode": 420
},
{
"group": {
"name": "root"
@@ -64,6 +79,7 @@
"group": {
"name": "root"
},
"overwrite": true,
"path": "/etc/hostname",
"user": {
"name": "root"


+ 4
- 0
magnum/tests/unit/drivers/test_template_definition.py View File

@@ -603,6 +603,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
ostree_remote = mock_cluster.labels.get('ostree_remote')
ostree_commit = mock_cluster.labels.get('ostree_commit')
use_podman = mock_cluster.labels.get('use_podman')
selinux_mode = mock_cluster.labels.get('selinux_mode')
container_runtime = mock_cluster.labels.get('container_runtime')
containerd_version = mock_cluster.labels.get('containerd_version')
containerd_tarball_url = mock_cluster.labels.get(
@@ -713,6 +714,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
'ostree_remote': ostree_remote,
'ostree_commit': ostree_commit,
'use_podman': use_podman,
'selinux_mode': selinux_mode,
'kube_image_digest': kube_image_digest,
'container_runtime': container_runtime,
'containerd_version': containerd_version,
@@ -1104,6 +1106,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
ostree_remote = mock_cluster.labels.get('ostree_remote')
ostree_commit = mock_cluster.labels.get('ostree_commit')
use_podman = mock_cluster.labels.get('use_podman')
selinux_mode = mock_cluster.labels.get('selinux_mode')
container_runtime = mock_cluster.labels.get('container_runtime')
containerd_version = mock_cluster.labels.get('containerd_version')
containerd_tarball_url = mock_cluster.labels.get(
@@ -1216,6 +1219,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
'ostree_remote': ostree_remote,
'ostree_commit': ostree_commit,
'use_podman': use_podman,
'selinux_mode': selinux_mode,
'kube_image_digest': kube_image_digest,
'container_runtime': container_runtime,
'containerd_version': containerd_version,


+ 5
- 0
releasenotes/notes/support-selinux-mode-5bd2a3ece23a2caa.yaml View File

@@ -0,0 +1,5 @@
---
features:
- |
Add selinux_mode label. By default, selinux_mode=permissive with Fedora
Atomic driver and selinux_mode=enforcing with Fedora CoreOS.

Loading…
Cancel
Save