openstack/magnum
Code Issues Proposed changes

Add selinux_mode label

Browse Source 
Fedora Atomic default: permissive
Fedora CoreOS default: enforcing

Story: 2007413
Task: 39033

Change-Id: Ibc1e02098155ac95bb35fcea5f21cc380bdf0d03
Signed-off-by: Bharat Kunwar <brtknr@bath.edu>
This commit is contained in:
Bharat Kunwar 2020-03-28 17:57:25 +00:00
parent b146c28820
commit fd80e1989f
13 changed files with 119 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
doc/source/user/index.rst
View File

@ -448,6 +448,10 @@ the table are linked to more details elsewhere in the user guide.
| `use_podman`_ | - true | see below | | `use_podman`_ | - true | see below |
| | - false | | | | - false | |
+---------------------------------------+--------------------+---------------+ +---------------------------------------+--------------------+---------------+
| `selinux_mode`_ | - enforcing | see below |
| | - permissive | |
| | - disabled | |
+---------------------------------------+--------------------+---------------+
| `container_runtime`_ | - "" | "" | | `container_runtime`_ | - "" | "" |
| | - containerd | | | | - containerd | |
+---------------------------------------+--------------------+---------------+ +---------------------------------------+--------------------+---------------+
@ -1222,7 +1226,7 @@ _`kube_tag`
container tag for `Fedora Atomic container tag for `Fedora Atomic
<https://hub.docker.com/r/openstackmagnum/kubernetes-apiserver/tags/>`_ or <https://hub.docker.com/r/openstackmagnum/kubernetes-apiserver/tags/>`_ or
`Fedora CoreOS and Fedora Atomic (with use_podman=true label) `Fedora CoreOS and Fedora Atomic (with use_podman=true label)
<https://github.com/kubernetes/kubernetes/releases>_`. If unset, the current <https://github.com/kubernetes/kubernetes/releases>`_. If unset, the current
Magnum version's default Kubernetes release is installed. `Take a look at Magnum version's default Kubernetes release is installed. `Take a look at
the Wiki for a compatibility matrix between Kubernetes and Magnum Releases the Wiki for a compatibility matrix between Kubernetes and Magnum Releases
<https://wiki.openstack.org/wiki/Magnum#Compatibility_Matrix>`_. <https://wiki.openstack.org/wiki/Magnum#Compatibility_Matrix>`_.
@ -1507,6 +1511,20 @@ _`use_podman`
necessary since v1.16 dropped the --containerized flag in kubelet. necessary since v1.16 dropped the --containerized flag in kubelet.
https://github.com/kubernetes/kubernetes/pull/80043/files https://github.com/kubernetes/kubernetes/pull/80043/files
_`selinux_mode`
Choose `SELinux mode between enforcing, permissive and disabled
<http://man7.org/linux/man-pages/man5/selinux_config.5.html>`_. This label
is currently only relevant for k8s_fedora drivers.
k8s_fedora_atomic_v1 driver defaults to selinux_mode=permissive because this
was the only way atomic containers were able to start Kubernetes services. On
the other hand, if the opt-in use_podman=true label is supplied,
selinux_mode=enforcing is supported. Note that if selinux_mode=disabled is
chosen, this only takes full effect once the instances are manually rebooted
but they will be set to permissive mode in the meantime.
k8s_fedora_coreos_v1 driver defaults to selinux_mode=enforcing.
_`container_runtime` _`container_runtime`
The container runtime to use. Empty value means, use docker from the The container runtime to use. Empty value means, use docker from the
host. Since ussuri, apart from empty (host-docker), containerd is also host. Since ussuri, apart from empty (host-docker), containerd is also

5
magnum/drivers/common/templates/kubernetes/fragments/disable-selinux.sh
View File

@ -1,8 +1,7 @@
#cloud-boothook #cloud-boothook
#!/bin/sh #!/bin/sh
setenforce 0 setenforce `[[ "$SELINUX_MODE" == "enforcing" ]] && echo 1 || echo 0`
sed -i ' sed -i '
/^SELINUX=/ s/=.*/=permissive/ /^SELINUX=/ s/=.*/=$SELINUX_MODE/
' /etc/selinux/config ' /etc/selinux/config

1
magnum/drivers/heat/k8s_fedora_template_def.py
View File

@ -102,6 +102,7 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition):
'prometheus_adapter_enabled', 'prometheus_adapter_enabled',
'prometheus_adapter_chart_tag', 'prometheus_adapter_chart_tag',
'prometheus_adapter_configmap', 'prometheus_adapter_configmap',
'selinux_mode',
'tiller_enabled', 'tiller_enabled',
'tiller_tag', 'tiller_tag',
'tiller_namespace', 'tiller_namespace',

10
magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
View File

@ -851,6 +851,14 @@ parameters:
default: default:
false false
selinux_mode:
type: string
description: >
Choose SELinux mode
default: "permissive"
constraints:
- allowed_values: ["enforcing", "permissive", "disabled"]
kube_image_digest: kube_image_digest:
type: string type: string
description: > description: >
@ -1216,6 +1224,7 @@ resources:
ostree_remote: {get_param: ostree_remote} ostree_remote: {get_param: ostree_remote}
ostree_commit: {get_param: ostree_commit} ostree_commit: {get_param: ostree_commit}
use_podman: {get_param: use_podman} use_podman: {get_param: use_podman}
selinux_mode: {get_param: selinux_mode}
container_runtime: {get_param: container_runtime} container_runtime: {get_param: container_runtime}
containerd_version: {get_param: containerd_version} containerd_version: {get_param: containerd_version}
containerd_tarball_url: {get_param: containerd_tarball_url} containerd_tarball_url: {get_param: containerd_tarball_url}
@ -1385,6 +1394,7 @@ resources:
ostree_remote: {get_param: ostree_remote} ostree_remote: {get_param: ostree_remote}
ostree_commit: {get_param: ostree_commit} ostree_commit: {get_param: ostree_commit}
use_podman: {get_param: use_podman} use_podman: {get_param: use_podman}
selinux_mode: {get_param: selinux_mode}
container_runtime: {get_param: container_runtime} container_runtime: {get_param: container_runtime}
containerd_version: {get_param: containerd_version} containerd_version: {get_param: containerd_version}
containerd_tarball_url: {get_param: containerd_tarball_url} containerd_tarball_url: {get_param: containerd_tarball_url}

11
magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
View File

@ -604,6 +604,11 @@ parameters:
description: > description: >
if true, run system containers for kubernetes, etcd and heat-agent if true, run system containers for kubernetes, etcd and heat-agent
selinux_mode:
type: string
description: >
Choose SELinux mode
container_runtime: container_runtime:
type: string type: string
description: The container runtime to install description: The container runtime to install
@ -635,7 +640,6 @@ conditions:
- get_param: boot_volume_size - get_param: boot_volume_size
- 0 - 0
resources: resources:
###################################################################### ######################################################################
# #
@ -678,7 +682,10 @@ resources:
$HTTP_PROXY: {get_param: http_proxy} $HTTP_PROXY: {get_param: http_proxy}
$HTTPS_PROXY: {get_param: https_proxy} $HTTPS_PROXY: {get_param: https_proxy}
$NO_PROXY: {get_param: no_proxy} $NO_PROXY: {get_param: no_proxy}
- get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh - str_replace:
template: {get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh}
params:
$SELINUX_MODE: {get_param: selinux_mode}
master_config: master_config:
type: OS::Heat::SoftwareConfig type: OS::Heat::SoftwareConfig

10
magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
View File

@ -327,6 +327,11 @@ parameters:
description: > description: >
if true, run system containers for kubernetes, etcd and heat-agent if true, run system containers for kubernetes, etcd and heat-agent
selinux_mode:
type: string
description: >
Choose SELinux mode
container_runtime: container_runtime:
type: string type: string
description: The container runtime to install description: The container runtime to install
@ -376,7 +381,10 @@ resources:
$HTTP_PROXY: {get_param: http_proxy} $HTTP_PROXY: {get_param: http_proxy}
$HTTPS_PROXY: {get_param: https_proxy} $HTTPS_PROXY: {get_param: https_proxy}
$NO_PROXY: {get_param: no_proxy} $NO_PROXY: {get_param: no_proxy}
- get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh - str_replace:
template: {get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh}
params:
$SELINUX_MODE: {get_param: selinux_mode}
###################################################################### ######################################################################
# #

22
magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml
View File

@ -35,6 +35,27 @@ storage:
group: group:
name: root name: root
files: files:
- path: /etc/selinux/config
# 420 (decimal) == 644 (octal)
mode: 420
group:
name: root
user:
name: root
contents:
inline: |
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=__SELINUX_MODE__
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
overwrite: true
- path: /etc/containers/libpod.conf - path: /etc/containers/libpod.conf
# 420 (decimal) == 644 (octal) # 420 (decimal) == 644 (octal)
mode: 420 mode: 420
@ -58,6 +79,7 @@ storage:
contents: contents:
inline: | inline: |
__HOSTNAME__ __HOSTNAME__
overwrite: true
- path: /etc/pki/ca-trust/source/anchors/openstack-ca.pem - path: /etc/pki/ca-trust/source/anchors/openstack-ca.pem
# 420 (decimal) == 644 (octal) # 420 (decimal) == 644 (octal)
mode: 420 mode: 420

10
magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
View File

@ -853,6 +853,14 @@ parameters:
constraints: constraints:
- allowed_values: [true] - allowed_values: [true]
selinux_mode:
type: string
description: >
Choose SELinux mode
default: "enforcing"
constraints:
- allowed_values: ["enforcing", "permissive", "disabled"]
kube_image_digest: kube_image_digest:
type: string type: string
description: > description: >
@ -1219,6 +1227,7 @@ resources:
ostree_remote: {get_param: ostree_remote} ostree_remote: {get_param: ostree_remote}
ostree_commit: {get_param: ostree_commit} ostree_commit: {get_param: ostree_commit}
use_podman: {get_param: use_podman} use_podman: {get_param: use_podman}
selinux_mode: {get_param: selinux_mode}
kube_image_digest: {get_param: kube_image_digest} kube_image_digest: {get_param: kube_image_digest}
container_runtime: {get_param: container_runtime} container_runtime: {get_param: container_runtime}
containerd_version: {get_param: containerd_version} containerd_version: {get_param: containerd_version}
@ -1390,6 +1399,7 @@ resources:
ostree_remote: {get_param: ostree_remote} ostree_remote: {get_param: ostree_remote}
ostree_commit: {get_param: ostree_commit} ostree_commit: {get_param: ostree_commit}
use_podman: {get_param: use_podman} use_podman: {get_param: use_podman}
selinux_mode: {get_param: selinux_mode}
container_runtime: {get_param: container_runtime} container_runtime: {get_param: container_runtime}
containerd_version: {get_param: containerd_version} containerd_version: {get_param: containerd_version}
containerd_tarball_url: {get_param: containerd_tarball_url} containerd_tarball_url: {get_param: containerd_tarball_url}

6
magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
View File

@ -608,6 +608,11 @@ parameters:
description: > description: >
If true, run system containers for kubernetes, etcd and heat-agent If true, run system containers for kubernetes, etcd and heat-agent
selinux_mode:
type: string
description: >
Choose SELinux mode
kube_image_digest: kube_image_digest:
type: string type: string
description: > description: >
@ -691,6 +696,7 @@ resources:
__HTTP_PROXY__: {get_param: http_proxy} __HTTP_PROXY__: {get_param: http_proxy}
__HTTPS_PROXY__: {get_param: https_proxy} __HTTPS_PROXY__: {get_param: https_proxy}
__NO_PROXY__: {get_param: no_proxy} __NO_PROXY__: {get_param: no_proxy}
__SELINUX_MODE__: {get_param: selinux_mode}
master_config: master_config:
type: OS::Heat::SoftwareConfig type: OS::Heat::SoftwareConfig

6
magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml
View File

@ -329,6 +329,11 @@ parameters:
description: > description: >
If true, run system containers for kubernetes, etcd and heat-agent If true, run system containers for kubernetes, etcd and heat-agent
selinux_mode:
type: string
description: >
Choose SELinux mode
container_runtime: container_runtime:
type: string type: string
description: The container runtime to install description: The container runtime to install
@ -381,6 +386,7 @@ resources:
__HTTP_PROXY__: {get_param: http_proxy} __HTTP_PROXY__: {get_param: http_proxy}
__HTTPS_PROXY__: {get_param: https_proxy} __HTTPS_PROXY__: {get_param: https_proxy}
__NO_PROXY__: {get_param: no_proxy} __NO_PROXY__: {get_param: no_proxy}
__SELINUX_MODE__: {get_param: selinux_mode}
###################################################################### ######################################################################
# #

16
magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json
View File

@ -46,6 +46,21 @@
} }
], ],
"files": [ "files": [
{
"group": {
"name": "root"
},
"overwrite": true,
"path": "/etc/selinux/config",
"user": {
"name": "root"
},
"contents": {
"source": "data:,%23%20This%20file%20controls%20the%20state%20of%20SELinux%20on%20the%20system.%0A%23%20SELINUX%3D%20can%20take%20one%20of%20these%20three%20values%3A%0A%23%20%20%20%20%20enforcing%20-%20SELinux%20security%20policy%20is%20enforced.%0A%23%20%20%20%20%20permissive%20-%20SELinux%20prints%20warnings%20instead%20of%20enforcing.%0A%23%20%20%20%20%20disabled%20-%20No%20SELinux%20policy%20is%20loaded.%0ASELINUX%3D__SELINUX_MODE__%0A%23%20SELINUXTYPE%3D%20can%20take%20one%20of%20these%20three%20values%3A%0A%23%20%20%20%20%20targeted%20-%20Targeted%20processes%20are%20protected%2C%0A%23%20%20%20%20%20minimum%20-%20Modification%20of%20targeted%20policy.%20Only%20selected%20processes%20are%20protected.%0A%23%20%20%20%20%20mls%20-%20Multi%20Level%20Security%20protection.%0ASELINUXTYPE%3Dtargeted%0A",
"verification": {}
},
"mode": 420
},
{ {
"group": { "group": {
"name": "root" "name": "root"
@ -64,6 +79,7 @@
"group": { "group": {
"name": "root" "name": "root"
}, },
"overwrite": true,
"path": "/etc/hostname", "path": "/etc/hostname",
"user": { "user": {
"name": "root" "name": "root"

4
magnum/tests/unit/drivers/test_template_definition.py
View File

@ -603,6 +603,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
ostree_remote = mock_cluster.labels.get('ostree_remote') ostree_remote = mock_cluster.labels.get('ostree_remote')
ostree_commit = mock_cluster.labels.get('ostree_commit') ostree_commit = mock_cluster.labels.get('ostree_commit')
use_podman = mock_cluster.labels.get('use_podman') use_podman = mock_cluster.labels.get('use_podman')
selinux_mode = mock_cluster.labels.get('selinux_mode')
container_runtime = mock_cluster.labels.get('container_runtime') container_runtime = mock_cluster.labels.get('container_runtime')
containerd_version = mock_cluster.labels.get('containerd_version') containerd_version = mock_cluster.labels.get('containerd_version')
containerd_tarball_url = mock_cluster.labels.get( containerd_tarball_url = mock_cluster.labels.get(
@ -713,6 +714,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
'ostree_remote': ostree_remote, 'ostree_remote': ostree_remote,
'ostree_commit': ostree_commit, 'ostree_commit': ostree_commit,
'use_podman': use_podman, 'use_podman': use_podman,
'selinux_mode': selinux_mode,
'kube_image_digest': kube_image_digest, 'kube_image_digest': kube_image_digest,
'container_runtime': container_runtime, 'container_runtime': container_runtime,
'containerd_version': containerd_version, 'containerd_version': containerd_version,
@ -1104,6 +1106,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
ostree_remote = mock_cluster.labels.get('ostree_remote') ostree_remote = mock_cluster.labels.get('ostree_remote')
ostree_commit = mock_cluster.labels.get('ostree_commit') ostree_commit = mock_cluster.labels.get('ostree_commit')
use_podman = mock_cluster.labels.get('use_podman') use_podman = mock_cluster.labels.get('use_podman')
selinux_mode = mock_cluster.labels.get('selinux_mode')
container_runtime = mock_cluster.labels.get('container_runtime') container_runtime = mock_cluster.labels.get('container_runtime')
containerd_version = mock_cluster.labels.get('containerd_version') containerd_version = mock_cluster.labels.get('containerd_version')
containerd_tarball_url = mock_cluster.labels.get( containerd_tarball_url = mock_cluster.labels.get(
@ -1216,6 +1219,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
'ostree_remote': ostree_remote, 'ostree_remote': ostree_remote,
'ostree_commit': ostree_commit, 'ostree_commit': ostree_commit,
'use_podman': use_podman, 'use_podman': use_podman,
'selinux_mode': selinux_mode,
'kube_image_digest': kube_image_digest, 'kube_image_digest': kube_image_digest,
'container_runtime': container_runtime, 'container_runtime': container_runtime,
'containerd_version': containerd_version, 'containerd_version': containerd_version,

5
releasenotes/notes/support-selinux-mode-5bd2a3ece23a2caa.yaml Normal file
View File

@ -0,0 +1,5 @@
---
features:
- |
Add selinux_mode label. By default, selinux_mode=permissive with Fedora
Atomic driver and selinux_mode=enforcing with Fedora CoreOS.