From fd80e1989f74c4e63663f80b1518d0709621e78d Mon Sep 17 00:00:00 2001 From: Bharat Kunwar Date: Sat, 28 Mar 2020 17:57:25 +0000 Subject: [PATCH] Add selinux_mode label Fedora Atomic default: permissive Fedora CoreOS default: enforcing Story: 2007413 Task: 39033 Change-Id: Ibc1e02098155ac95bb35fcea5f21cc380bdf0d03 Signed-off-by: Bharat Kunwar --- doc/source/user/index.rst | 20 ++++++++++++++++- .../kubernetes/fragments/disable-selinux.sh | 5 ++--- .../drivers/heat/k8s_fedora_template_def.py | 1 + .../templates/kubecluster.yaml | 10 +++++++++ .../templates/kubemaster.yaml | 11 ++++++++-- .../templates/kubeminion.yaml | 10 ++++++++- .../templates/fcct-config.yaml | 22 +++++++++++++++++++ .../templates/kubecluster.yaml | 10 +++++++++ .../templates/kubemaster.yaml | 6 +++++ .../templates/kubeminion.yaml | 6 +++++ .../templates/user_data.json | 16 ++++++++++++++ .../unit/drivers/test_template_definition.py | 4 ++++ ...support-selinux-mode-5bd2a3ece23a2caa.yaml | 5 +++++ 13 files changed, 119 insertions(+), 7 deletions(-) create mode 100644 releasenotes/notes/support-selinux-mode-5bd2a3ece23a2caa.yaml diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst index d66a72bf2a..a31efdb4cd 100644 --- a/doc/source/user/index.rst +++ b/doc/source/user/index.rst @@ -448,6 +448,10 @@ the table are linked to more details elsewhere in the user guide. | `use_podman`_ | - true | see below | | | - false | | +---------------------------------------+--------------------+---------------+ +| `selinux_mode`_ | - enforcing | see below | +| | - permissive | | +| | - disabled | | ++---------------------------------------+--------------------+---------------+ | `container_runtime`_ | - "" | "" | | | - containerd | | +---------------------------------------+--------------------+---------------+ @@ -1222,7 +1226,7 @@ _`kube_tag` container tag for `Fedora Atomic `_ or `Fedora CoreOS and Fedora Atomic (with use_podman=true label) - _`. If unset, the current + `_. If unset, the current Magnum version's default Kubernetes release is installed. `Take a look at the Wiki for a compatibility matrix between Kubernetes and Magnum Releases `_. @@ -1507,6 +1511,20 @@ _`use_podman` necessary since v1.16 dropped the --containerized flag in kubelet. https://github.com/kubernetes/kubernetes/pull/80043/files +_`selinux_mode` + Choose `SELinux mode between enforcing, permissive and disabled + `_. This label + is currently only relevant for k8s_fedora drivers. + + k8s_fedora_atomic_v1 driver defaults to selinux_mode=permissive because this + was the only way atomic containers were able to start Kubernetes services. On + the other hand, if the opt-in use_podman=true label is supplied, + selinux_mode=enforcing is supported. Note that if selinux_mode=disabled is + chosen, this only takes full effect once the instances are manually rebooted + but they will be set to permissive mode in the meantime. + + k8s_fedora_coreos_v1 driver defaults to selinux_mode=enforcing. + _`container_runtime` The container runtime to use. Empty value means, use docker from the host. Since ussuri, apart from empty (host-docker), containerd is also diff --git a/magnum/drivers/common/templates/kubernetes/fragments/disable-selinux.sh b/magnum/drivers/common/templates/kubernetes/fragments/disable-selinux.sh index a28e26d6d3..b8d5107985 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/disable-selinux.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/disable-selinux.sh @@ -1,8 +1,7 @@ #cloud-boothook #!/bin/sh -setenforce 0 - +setenforce `[[ "$SELINUX_MODE" == "enforcing" ]] && echo 1 || echo 0` sed -i ' - /^SELINUX=/ s/=.*/=permissive/ + /^SELINUX=/ s/=.*/=$SELINUX_MODE/ ' /etc/selinux/config diff --git a/magnum/drivers/heat/k8s_fedora_template_def.py b/magnum/drivers/heat/k8s_fedora_template_def.py index 2c9d23534a..dcca7c1049 100644 --- a/magnum/drivers/heat/k8s_fedora_template_def.py +++ b/magnum/drivers/heat/k8s_fedora_template_def.py @@ -102,6 +102,7 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition): 'prometheus_adapter_enabled', 'prometheus_adapter_chart_tag', 'prometheus_adapter_configmap', + 'selinux_mode', 'tiller_enabled', 'tiller_tag', 'tiller_namespace', diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml index 793cb671b8..69c60c0911 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml @@ -851,6 +851,14 @@ parameters: default: false + selinux_mode: + type: string + description: > + Choose SELinux mode + default: "permissive" + constraints: + - allowed_values: ["enforcing", "permissive", "disabled"] + kube_image_digest: type: string description: > @@ -1216,6 +1224,7 @@ resources: ostree_remote: {get_param: ostree_remote} ostree_commit: {get_param: ostree_commit} use_podman: {get_param: use_podman} + selinux_mode: {get_param: selinux_mode} container_runtime: {get_param: container_runtime} containerd_version: {get_param: containerd_version} containerd_tarball_url: {get_param: containerd_tarball_url} @@ -1385,6 +1394,7 @@ resources: ostree_remote: {get_param: ostree_remote} ostree_commit: {get_param: ostree_commit} use_podman: {get_param: use_podman} + selinux_mode: {get_param: selinux_mode} container_runtime: {get_param: container_runtime} containerd_version: {get_param: containerd_version} containerd_tarball_url: {get_param: containerd_tarball_url} diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml index f683385b1b..7fee7181c9 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml @@ -604,6 +604,11 @@ parameters: description: > if true, run system containers for kubernetes, etcd and heat-agent + selinux_mode: + type: string + description: > + Choose SELinux mode + container_runtime: type: string description: The container runtime to install @@ -635,7 +640,6 @@ conditions: - get_param: boot_volume_size - 0 - resources: ###################################################################### # @@ -678,7 +682,10 @@ resources: $HTTP_PROXY: {get_param: http_proxy} $HTTPS_PROXY: {get_param: https_proxy} $NO_PROXY: {get_param: no_proxy} - - get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh + - str_replace: + template: {get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh} + params: + $SELINUX_MODE: {get_param: selinux_mode} master_config: type: OS::Heat::SoftwareConfig diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml index c2887d90ed..5066bca085 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml @@ -327,6 +327,11 @@ parameters: description: > if true, run system containers for kubernetes, etcd and heat-agent + selinux_mode: + type: string + description: > + Choose SELinux mode + container_runtime: type: string description: The container runtime to install @@ -376,7 +381,10 @@ resources: $HTTP_PROXY: {get_param: http_proxy} $HTTPS_PROXY: {get_param: https_proxy} $NO_PROXY: {get_param: no_proxy} - - get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh + - str_replace: + template: {get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh} + params: + $SELINUX_MODE: {get_param: selinux_mode} ###################################################################### # diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml index 2ace5bc7ee..99fd2f13bc 100644 --- a/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml +++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml @@ -35,6 +35,27 @@ storage: group: name: root files: + - path: /etc/selinux/config + # 420 (decimal) == 644 (octal) + mode: 420 + group: + name: root + user: + name: root + contents: + inline: | + # This file controls the state of SELinux on the system. + # SELINUX= can take one of these three values: + # enforcing - SELinux security policy is enforced. + # permissive - SELinux prints warnings instead of enforcing. + # disabled - No SELinux policy is loaded. + SELINUX=__SELINUX_MODE__ + # SELINUXTYPE= can take one of these three values: + # targeted - Targeted processes are protected, + # minimum - Modification of targeted policy. Only selected processes are protected. + # mls - Multi Level Security protection. + SELINUXTYPE=targeted + overwrite: true - path: /etc/containers/libpod.conf # 420 (decimal) == 644 (octal) mode: 420 @@ -58,6 +79,7 @@ storage: contents: inline: | __HOSTNAME__ + overwrite: true - path: /etc/pki/ca-trust/source/anchors/openstack-ca.pem # 420 (decimal) == 644 (octal) mode: 420 diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml index 8b4876547f..9c6ddb6703 100644 --- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml @@ -853,6 +853,14 @@ parameters: constraints: - allowed_values: [true] + selinux_mode: + type: string + description: > + Choose SELinux mode + default: "enforcing" + constraints: + - allowed_values: ["enforcing", "permissive", "disabled"] + kube_image_digest: type: string description: > @@ -1219,6 +1227,7 @@ resources: ostree_remote: {get_param: ostree_remote} ostree_commit: {get_param: ostree_commit} use_podman: {get_param: use_podman} + selinux_mode: {get_param: selinux_mode} kube_image_digest: {get_param: kube_image_digest} container_runtime: {get_param: container_runtime} containerd_version: {get_param: containerd_version} @@ -1390,6 +1399,7 @@ resources: ostree_remote: {get_param: ostree_remote} ostree_commit: {get_param: ostree_commit} use_podman: {get_param: use_podman} + selinux_mode: {get_param: selinux_mode} container_runtime: {get_param: container_runtime} containerd_version: {get_param: containerd_version} containerd_tarball_url: {get_param: containerd_tarball_url} diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml index 11494db166..482022bc1a 100644 --- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml @@ -608,6 +608,11 @@ parameters: description: > If true, run system containers for kubernetes, etcd and heat-agent + selinux_mode: + type: string + description: > + Choose SELinux mode + kube_image_digest: type: string description: > @@ -691,6 +696,7 @@ resources: __HTTP_PROXY__: {get_param: http_proxy} __HTTPS_PROXY__: {get_param: https_proxy} __NO_PROXY__: {get_param: no_proxy} + __SELINUX_MODE__: {get_param: selinux_mode} master_config: type: OS::Heat::SoftwareConfig diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml index 0077163b93..530e631f0c 100644 --- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml +++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml @@ -329,6 +329,11 @@ parameters: description: > If true, run system containers for kubernetes, etcd and heat-agent + selinux_mode: + type: string + description: > + Choose SELinux mode + container_runtime: type: string description: The container runtime to install @@ -381,6 +386,7 @@ resources: __HTTP_PROXY__: {get_param: http_proxy} __HTTPS_PROXY__: {get_param: https_proxy} __NO_PROXY__: {get_param: no_proxy} + __SELINUX_MODE__: {get_param: selinux_mode} ###################################################################### # diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json b/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json index b2da796a8a..6c18d66ad9 100644 --- a/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json +++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json @@ -46,6 +46,21 @@ } ], "files": [ + { + "group": { + "name": "root" + }, + "overwrite": true, + "path": "/etc/selinux/config", + "user": { + "name": "root" + }, + "contents": { + "source": "data:,%23%20This%20file%20controls%20the%20state%20of%20SELinux%20on%20the%20system.%0A%23%20SELINUX%3D%20can%20take%20one%20of%20these%20three%20values%3A%0A%23%20%20%20%20%20enforcing%20-%20SELinux%20security%20policy%20is%20enforced.%0A%23%20%20%20%20%20permissive%20-%20SELinux%20prints%20warnings%20instead%20of%20enforcing.%0A%23%20%20%20%20%20disabled%20-%20No%20SELinux%20policy%20is%20loaded.%0ASELINUX%3D__SELINUX_MODE__%0A%23%20SELINUXTYPE%3D%20can%20take%20one%20of%20these%20three%20values%3A%0A%23%20%20%20%20%20targeted%20-%20Targeted%20processes%20are%20protected%2C%0A%23%20%20%20%20%20minimum%20-%20Modification%20of%20targeted%20policy.%20Only%20selected%20processes%20are%20protected.%0A%23%20%20%20%20%20mls%20-%20Multi%20Level%20Security%20protection.%0ASELINUXTYPE%3Dtargeted%0A", + "verification": {} + }, + "mode": 420 + }, { "group": { "name": "root" @@ -64,6 +79,7 @@ "group": { "name": "root" }, + "overwrite": true, "path": "/etc/hostname", "user": { "name": "root" diff --git a/magnum/tests/unit/drivers/test_template_definition.py b/magnum/tests/unit/drivers/test_template_definition.py index cde62e70c1..a2b2a620fe 100644 --- a/magnum/tests/unit/drivers/test_template_definition.py +++ b/magnum/tests/unit/drivers/test_template_definition.py @@ -603,6 +603,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase): ostree_remote = mock_cluster.labels.get('ostree_remote') ostree_commit = mock_cluster.labels.get('ostree_commit') use_podman = mock_cluster.labels.get('use_podman') + selinux_mode = mock_cluster.labels.get('selinux_mode') container_runtime = mock_cluster.labels.get('container_runtime') containerd_version = mock_cluster.labels.get('containerd_version') containerd_tarball_url = mock_cluster.labels.get( @@ -713,6 +714,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase): 'ostree_remote': ostree_remote, 'ostree_commit': ostree_commit, 'use_podman': use_podman, + 'selinux_mode': selinux_mode, 'kube_image_digest': kube_image_digest, 'container_runtime': container_runtime, 'containerd_version': containerd_version, @@ -1104,6 +1106,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase): ostree_remote = mock_cluster.labels.get('ostree_remote') ostree_commit = mock_cluster.labels.get('ostree_commit') use_podman = mock_cluster.labels.get('use_podman') + selinux_mode = mock_cluster.labels.get('selinux_mode') container_runtime = mock_cluster.labels.get('container_runtime') containerd_version = mock_cluster.labels.get('containerd_version') containerd_tarball_url = mock_cluster.labels.get( @@ -1216,6 +1219,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase): 'ostree_remote': ostree_remote, 'ostree_commit': ostree_commit, 'use_podman': use_podman, + 'selinux_mode': selinux_mode, 'kube_image_digest': kube_image_digest, 'container_runtime': container_runtime, 'containerd_version': containerd_version, diff --git a/releasenotes/notes/support-selinux-mode-5bd2a3ece23a2caa.yaml b/releasenotes/notes/support-selinux-mode-5bd2a3ece23a2caa.yaml new file mode 100644 index 0000000000..ee72bc9573 --- /dev/null +++ b/releasenotes/notes/support-selinux-mode-5bd2a3ece23a2caa.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Add selinux_mode label. By default, selinux_mode=permissive with Fedora + Atomic driver and selinux_mode=enforcing with Fedora CoreOS.