diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst
index 354a69e3d4..a144a95e0d 100644
--- a/doc/source/user/index.rst
+++ b/doc/source/user/index.rst
@@ -449,6 +449,10 @@ the table are linked to more details elsewhere in the user guide.
| `use_podman`_ | - true | see below |
| | - false | |
+---------------------------------------+--------------------+---------------+
+| `selinux_mode`_ | - enforcing | see below |
+| | - permissive | |
+| | - disabled | |
++---------------------------------------+--------------------+---------------+
| `container_runtime`_ | - "" | "" |
| | - containerd | |
+---------------------------------------+--------------------+---------------+
@@ -1234,7 +1238,7 @@ _`kube_tag`
container tag for `Fedora Atomic
`_ or
`Fedora CoreOS and Fedora Atomic (with use_podman=true label)
- _`. If unset, the current
+ `_. If unset, the current
Magnum version's default Kubernetes release is installed. `Take a look at
the Wiki for a compatibility matrix between Kubernetes and Magnum Releases
`_.
@@ -1526,6 +1530,20 @@ _`use_podman`
necessary since v1.16 dropped the --containerized flag in kubelet.
https://github.com/kubernetes/kubernetes/pull/80043/files
+_`selinux_mode`
+ Choose `SELinux mode between enforcing, permissive and disabled
+ `_. This label
+ is currently only relevant for k8s_fedora drivers.
+
+ k8s_fedora_atomic_v1 driver defaults to selinux_mode=permissive because this
+ was the only way atomic containers were able to start Kubernetes services. On
+ the other hand, if the opt-in use_podman=true label is supplied,
+ selinux_mode=enforcing is supported. Note that if selinux_mode=disabled is
+ chosen, this only takes full effect once the instances are manually rebooted
+ but they will be set to permissive mode in the meantime.
+
+ k8s_fedora_coreos_v1 driver defaults to selinux_mode=enforcing.
+
_`container_runtime`
The container runtime to use. Empty value means, use docker from the
host. Since ussuri, apart from empty (host-docker), containerd is also
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/disable-selinux.sh b/magnum/drivers/common/templates/kubernetes/fragments/disable-selinux.sh
index a28e26d6d3..b8d5107985 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/disable-selinux.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/disable-selinux.sh
@@ -1,8 +1,7 @@
#cloud-boothook
#!/bin/sh
-setenforce 0
-
+setenforce `[[ "$SELINUX_MODE" == "enforcing" ]] && echo 1 || echo 0`
sed -i '
- /^SELINUX=/ s/=.*/=permissive/
+ /^SELINUX=/ s/=.*/=$SELINUX_MODE/
' /etc/selinux/config
diff --git a/magnum/drivers/heat/k8s_fedora_template_def.py b/magnum/drivers/heat/k8s_fedora_template_def.py
index 94c61839e6..5d58456136 100644
--- a/magnum/drivers/heat/k8s_fedora_template_def.py
+++ b/magnum/drivers/heat/k8s_fedora_template_def.py
@@ -102,6 +102,7 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition):
'prometheus_adapter_enabled',
'prometheus_adapter_chart_tag',
'prometheus_adapter_configmap',
+ 'selinux_mode',
'tiller_enabled',
'tiller_tag',
'tiller_namespace',
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
index 54084e9b3d..c422d966eb 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
@@ -856,6 +856,14 @@ parameters:
default:
false
+ selinux_mode:
+ type: string
+ description: >
+ Choose SELinux mode
+ default: "permissive"
+ constraints:
+ - allowed_values: ["enforcing", "permissive", "disabled"]
+
kube_image_digest:
type: string
description: >
@@ -1221,6 +1229,7 @@ resources:
ostree_remote: {get_param: ostree_remote}
ostree_commit: {get_param: ostree_commit}
use_podman: {get_param: use_podman}
+ selinux_mode: {get_param: selinux_mode}
container_runtime: {get_param: container_runtime}
containerd_version: {get_param: containerd_version}
containerd_tarball_url: {get_param: containerd_tarball_url}
@@ -1393,6 +1402,7 @@ resources:
ostree_remote: {get_param: ostree_remote}
ostree_commit: {get_param: ostree_commit}
use_podman: {get_param: use_podman}
+ selinux_mode: {get_param: selinux_mode}
container_runtime: {get_param: container_runtime}
containerd_version: {get_param: containerd_version}
containerd_tarball_url: {get_param: containerd_tarball_url}
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
index f683385b1b..7fee7181c9 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
@@ -604,6 +604,11 @@ parameters:
description: >
if true, run system containers for kubernetes, etcd and heat-agent
+ selinux_mode:
+ type: string
+ description: >
+ Choose SELinux mode
+
container_runtime:
type: string
description: The container runtime to install
@@ -635,7 +640,6 @@ conditions:
- get_param: boot_volume_size
- 0
-
resources:
######################################################################
#
@@ -678,7 +682,10 @@ resources:
$HTTP_PROXY: {get_param: http_proxy}
$HTTPS_PROXY: {get_param: https_proxy}
$NO_PROXY: {get_param: no_proxy}
- - get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh
+ - str_replace:
+ template: {get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh}
+ params:
+ $SELINUX_MODE: {get_param: selinux_mode}
master_config:
type: OS::Heat::SoftwareConfig
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
index c2887d90ed..5066bca085 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
@@ -327,6 +327,11 @@ parameters:
description: >
if true, run system containers for kubernetes, etcd and heat-agent
+ selinux_mode:
+ type: string
+ description: >
+ Choose SELinux mode
+
container_runtime:
type: string
description: The container runtime to install
@@ -376,7 +381,10 @@ resources:
$HTTP_PROXY: {get_param: http_proxy}
$HTTPS_PROXY: {get_param: https_proxy}
$NO_PROXY: {get_param: no_proxy}
- - get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh
+ - str_replace:
+ template: {get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh}
+ params:
+ $SELINUX_MODE: {get_param: selinux_mode}
######################################################################
#
diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml
index 2ace5bc7ee..99fd2f13bc 100644
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml
@@ -35,6 +35,27 @@ storage:
group:
name: root
files:
+ - path: /etc/selinux/config
+ # 420 (decimal) == 644 (octal)
+ mode: 420
+ group:
+ name: root
+ user:
+ name: root
+ contents:
+ inline: |
+ # This file controls the state of SELinux on the system.
+ # SELINUX= can take one of these three values:
+ # enforcing - SELinux security policy is enforced.
+ # permissive - SELinux prints warnings instead of enforcing.
+ # disabled - No SELinux policy is loaded.
+ SELINUX=__SELINUX_MODE__
+ # SELINUXTYPE= can take one of these three values:
+ # targeted - Targeted processes are protected,
+ # minimum - Modification of targeted policy. Only selected processes are protected.
+ # mls - Multi Level Security protection.
+ SELINUXTYPE=targeted
+ overwrite: true
- path: /etc/containers/libpod.conf
# 420 (decimal) == 644 (octal)
mode: 420
@@ -58,6 +79,7 @@ storage:
contents:
inline: |
__HOSTNAME__
+ overwrite: true
- path: /etc/pki/ca-trust/source/anchors/openstack-ca.pem
# 420 (decimal) == 644 (octal)
mode: 420
diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
index 41ab9722d0..a05193f677 100644
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
@@ -858,6 +858,14 @@ parameters:
constraints:
- allowed_values: [true]
+ selinux_mode:
+ type: string
+ description: >
+ Choose SELinux mode
+ default: "enforcing"
+ constraints:
+ - allowed_values: ["enforcing", "permissive", "disabled"]
+
kube_image_digest:
type: string
description: >
@@ -1230,6 +1238,7 @@ resources:
ostree_remote: {get_param: ostree_remote}
ostree_commit: {get_param: ostree_commit}
use_podman: {get_param: use_podman}
+ selinux_mode: {get_param: selinux_mode}
kube_image_digest: {get_param: kube_image_digest}
container_runtime: {get_param: container_runtime}
containerd_version: {get_param: containerd_version}
@@ -1404,6 +1413,7 @@ resources:
ostree_remote: {get_param: ostree_remote}
ostree_commit: {get_param: ostree_commit}
use_podman: {get_param: use_podman}
+ selinux_mode: {get_param: selinux_mode}
container_runtime: {get_param: container_runtime}
containerd_version: {get_param: containerd_version}
containerd_tarball_url: {get_param: containerd_tarball_url}
diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
index 11494db166..482022bc1a 100644
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
@@ -608,6 +608,11 @@ parameters:
description: >
If true, run system containers for kubernetes, etcd and heat-agent
+ selinux_mode:
+ type: string
+ description: >
+ Choose SELinux mode
+
kube_image_digest:
type: string
description: >
@@ -691,6 +696,7 @@ resources:
__HTTP_PROXY__: {get_param: http_proxy}
__HTTPS_PROXY__: {get_param: https_proxy}
__NO_PROXY__: {get_param: no_proxy}
+ __SELINUX_MODE__: {get_param: selinux_mode}
master_config:
type: OS::Heat::SoftwareConfig
diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml
index 0077163b93..530e631f0c 100644
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml
@@ -329,6 +329,11 @@ parameters:
description: >
If true, run system containers for kubernetes, etcd and heat-agent
+ selinux_mode:
+ type: string
+ description: >
+ Choose SELinux mode
+
container_runtime:
type: string
description: The container runtime to install
@@ -381,6 +386,7 @@ resources:
__HTTP_PROXY__: {get_param: http_proxy}
__HTTPS_PROXY__: {get_param: https_proxy}
__NO_PROXY__: {get_param: no_proxy}
+ __SELINUX_MODE__: {get_param: selinux_mode}
######################################################################
#
diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json b/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json
index b2da796a8a..6c18d66ad9 100644
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json
@@ -46,6 +46,21 @@
}
],
"files": [
+ {
+ "group": {
+ "name": "root"
+ },
+ "overwrite": true,
+ "path": "/etc/selinux/config",
+ "user": {
+ "name": "root"
+ },
+ "contents": {
+ "source": "data:,%23%20This%20file%20controls%20the%20state%20of%20SELinux%20on%20the%20system.%0A%23%20SELINUX%3D%20can%20take%20one%20of%20these%20three%20values%3A%0A%23%20%20%20%20%20enforcing%20-%20SELinux%20security%20policy%20is%20enforced.%0A%23%20%20%20%20%20permissive%20-%20SELinux%20prints%20warnings%20instead%20of%20enforcing.%0A%23%20%20%20%20%20disabled%20-%20No%20SELinux%20policy%20is%20loaded.%0ASELINUX%3D__SELINUX_MODE__%0A%23%20SELINUXTYPE%3D%20can%20take%20one%20of%20these%20three%20values%3A%0A%23%20%20%20%20%20targeted%20-%20Targeted%20processes%20are%20protected%2C%0A%23%20%20%20%20%20minimum%20-%20Modification%20of%20targeted%20policy.%20Only%20selected%20processes%20are%20protected.%0A%23%20%20%20%20%20mls%20-%20Multi%20Level%20Security%20protection.%0ASELINUXTYPE%3Dtargeted%0A",
+ "verification": {}
+ },
+ "mode": 420
+ },
{
"group": {
"name": "root"
@@ -64,6 +79,7 @@
"group": {
"name": "root"
},
+ "overwrite": true,
"path": "/etc/hostname",
"user": {
"name": "root"
diff --git a/magnum/tests/unit/drivers/test_template_definition.py b/magnum/tests/unit/drivers/test_template_definition.py
index cde62e70c1..a2b2a620fe 100644
--- a/magnum/tests/unit/drivers/test_template_definition.py
+++ b/magnum/tests/unit/drivers/test_template_definition.py
@@ -603,6 +603,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
ostree_remote = mock_cluster.labels.get('ostree_remote')
ostree_commit = mock_cluster.labels.get('ostree_commit')
use_podman = mock_cluster.labels.get('use_podman')
+ selinux_mode = mock_cluster.labels.get('selinux_mode')
container_runtime = mock_cluster.labels.get('container_runtime')
containerd_version = mock_cluster.labels.get('containerd_version')
containerd_tarball_url = mock_cluster.labels.get(
@@ -713,6 +714,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
'ostree_remote': ostree_remote,
'ostree_commit': ostree_commit,
'use_podman': use_podman,
+ 'selinux_mode': selinux_mode,
'kube_image_digest': kube_image_digest,
'container_runtime': container_runtime,
'containerd_version': containerd_version,
@@ -1104,6 +1106,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
ostree_remote = mock_cluster.labels.get('ostree_remote')
ostree_commit = mock_cluster.labels.get('ostree_commit')
use_podman = mock_cluster.labels.get('use_podman')
+ selinux_mode = mock_cluster.labels.get('selinux_mode')
container_runtime = mock_cluster.labels.get('container_runtime')
containerd_version = mock_cluster.labels.get('containerd_version')
containerd_tarball_url = mock_cluster.labels.get(
@@ -1216,6 +1219,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
'ostree_remote': ostree_remote,
'ostree_commit': ostree_commit,
'use_podman': use_podman,
+ 'selinux_mode': selinux_mode,
'kube_image_digest': kube_image_digest,
'container_runtime': container_runtime,
'containerd_version': containerd_version,
diff --git a/releasenotes/notes/support-selinux-mode-5bd2a3ece23a2caa.yaml b/releasenotes/notes/support-selinux-mode-5bd2a3ece23a2caa.yaml
new file mode 100644
index 0000000000..ee72bc9573
--- /dev/null
+++ b/releasenotes/notes/support-selinux-mode-5bd2a3ece23a2caa.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Add selinux_mode label. By default, selinux_mode=permissive with Fedora
+ Atomic driver and selinux_mode=enforcing with Fedora CoreOS.