Add selinux_mode label
Fedora Atomic default: permissive Fedora CoreOS default: enforcing Story: 2007413 Task: 39033 Change-Id: Ibc1e02098155ac95bb35fcea5f21cc380bdf0d03 Signed-off-by: Bharat Kunwar <brtknr@bath.edu>
This commit is contained in:
Bharat Kunwar
parent
b146c28820
commit
fd80e1989f
@ -448,6 +448,10 @@ the table are linked to more details elsewhere in the user guide.
|
||||
| `use_podman`_ | - true | see below |
|
||||
| | - false | |
|
||||
+---------------------------------------+--------------------+---------------+
|
||||
| `selinux_mode`_ | - enforcing | see below |
|
||||
| | - permissive | |
|
||||
| | - disabled | |
|
||||
+---------------------------------------+--------------------+---------------+
|
||||
| `container_runtime`_ | - "" | "" |
|
||||
| | - containerd | |
|
||||
+---------------------------------------+--------------------+---------------+
|
||||
@ -1222,7 +1226,7 @@ _`kube_tag`
|
||||
container tag for `Fedora Atomic
|
||||
<https://hub.docker.com/r/openstackmagnum/kubernetes-apiserver/tags/>`_ or
|
||||
`Fedora CoreOS and Fedora Atomic (with use_podman=true label)
|
||||
<https://github.com/kubernetes/kubernetes/releases>_`. If unset, the current
|
||||
<https://github.com/kubernetes/kubernetes/releases>`_. If unset, the current
|
||||
Magnum version's default Kubernetes release is installed. `Take a look at
|
||||
the Wiki for a compatibility matrix between Kubernetes and Magnum Releases
|
||||
<https://wiki.openstack.org/wiki/Magnum#Compatibility_Matrix>`_.
|
||||
@ -1507,6 +1511,20 @@ _`use_podman`
|
||||
necessary since v1.16 dropped the --containerized flag in kubelet.
|
||||
https://github.com/kubernetes/kubernetes/pull/80043/files
|
||||
|
||||
_`selinux_mode`
|
||||
Choose `SELinux mode between enforcing, permissive and disabled
|
||||
<http://man7.org/linux/man-pages/man5/selinux_config.5.html>`_. This label
|
||||
is currently only relevant for k8s_fedora drivers.
|
||||
|
||||
k8s_fedora_atomic_v1 driver defaults to selinux_mode=permissive because this
|
||||
was the only way atomic containers were able to start Kubernetes services. On
|
||||
the other hand, if the opt-in use_podman=true label is supplied,
|
||||
selinux_mode=enforcing is supported. Note that if selinux_mode=disabled is
|
||||
chosen, this only takes full effect once the instances are manually rebooted
|
||||
but they will be set to permissive mode in the meantime.
|
||||
|
||||
k8s_fedora_coreos_v1 driver defaults to selinux_mode=enforcing.
|
||||
|
||||
_`container_runtime`
|
||||
The container runtime to use. Empty value means, use docker from the
|
||||
host. Since ussuri, apart from empty (host-docker), containerd is also
|
||||
|
||||
@ -1,8 +1,7 @@
|
||||
#cloud-boothook
|
||||
#!/bin/sh
|
||||
|
||||
setenforce 0
|
||||
|
||||
setenforce `[[ "$SELINUX_MODE" == "enforcing" ]] && echo 1 || echo 0`
|
||||
sed -i '
|
||||
/^SELINUX=/ s/=.*/=permissive/
|
||||
/^SELINUX=/ s/=.*/=$SELINUX_MODE/
|
||||
' /etc/selinux/config
|
||||
|
||||
@ -102,6 +102,7 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition):
|
||||
'prometheus_adapter_enabled',
|
||||
'prometheus_adapter_chart_tag',
|
||||
'prometheus_adapter_configmap',
|
||||
'selinux_mode',
|
||||
'tiller_enabled',
|
||||
'tiller_tag',
|
||||
'tiller_namespace',
|
||||
|
||||
@ -851,6 +851,14 @@ parameters:
|
||||
default:
|
||||
false
|
||||
|
||||
selinux_mode:
|
||||
type: string
|
||||
description: >
|
||||
Choose SELinux mode
|
||||
default: "permissive"
|
||||
constraints:
|
||||
- allowed_values: ["enforcing", "permissive", "disabled"]
|
||||
|
||||
kube_image_digest:
|
||||
type: string
|
||||
description: >
|
||||
@ -1216,6 +1224,7 @@ resources:
|
||||
ostree_remote: {get_param: ostree_remote}
|
||||
ostree_commit: {get_param: ostree_commit}
|
||||
use_podman: {get_param: use_podman}
|
||||
selinux_mode: {get_param: selinux_mode}
|
||||
container_runtime: {get_param: container_runtime}
|
||||
containerd_version: {get_param: containerd_version}
|
||||
containerd_tarball_url: {get_param: containerd_tarball_url}
|
||||
@ -1385,6 +1394,7 @@ resources:
|
||||
ostree_remote: {get_param: ostree_remote}
|
||||
ostree_commit: {get_param: ostree_commit}
|
||||
use_podman: {get_param: use_podman}
|
||||
selinux_mode: {get_param: selinux_mode}
|
||||
container_runtime: {get_param: container_runtime}
|
||||
containerd_version: {get_param: containerd_version}
|
||||
containerd_tarball_url: {get_param: containerd_tarball_url}
|
||||
|
||||
@ -604,6 +604,11 @@ parameters:
|
||||
description: >
|
||||
if true, run system containers for kubernetes, etcd and heat-agent
|
||||
|
||||
selinux_mode:
|
||||
type: string
|
||||
description: >
|
||||
Choose SELinux mode
|
||||
|
||||
container_runtime:
|
||||
type: string
|
||||
description: The container runtime to install
|
||||
@ -635,7 +640,6 @@ conditions:
|
||||
- get_param: boot_volume_size
|
||||
- 0
|
||||
|
||||
|
||||
resources:
|
||||
######################################################################
|
||||
#
|
||||
@ -678,7 +682,10 @@ resources:
|
||||
$HTTP_PROXY: {get_param: http_proxy}
|
||||
$HTTPS_PROXY: {get_param: https_proxy}
|
||||
$NO_PROXY: {get_param: no_proxy}
|
||||
- get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh
|
||||
- str_replace:
|
||||
template: {get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh}
|
||||
params:
|
||||
$SELINUX_MODE: {get_param: selinux_mode}
|
||||
|
||||
master_config:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
|
||||
@ -327,6 +327,11 @@ parameters:
|
||||
description: >
|
||||
if true, run system containers for kubernetes, etcd and heat-agent
|
||||
|
||||
selinux_mode:
|
||||
type: string
|
||||
description: >
|
||||
Choose SELinux mode
|
||||
|
||||
container_runtime:
|
||||
type: string
|
||||
description: The container runtime to install
|
||||
@ -376,7 +381,10 @@ resources:
|
||||
$HTTP_PROXY: {get_param: http_proxy}
|
||||
$HTTPS_PROXY: {get_param: https_proxy}
|
||||
$NO_PROXY: {get_param: no_proxy}
|
||||
- get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh
|
||||
- str_replace:
|
||||
template: {get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh}
|
||||
params:
|
||||
$SELINUX_MODE: {get_param: selinux_mode}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
||||
@ -35,6 +35,27 @@ storage:
|
||||
group:
|
||||
name: root
|
||||
files:
|
||||
- path: /etc/selinux/config
|
||||
# 420 (decimal) == 644 (octal)
|
||||
mode: 420
|
||||
group:
|
||||
name: root
|
||||
user:
|
||||
name: root
|
||||
contents:
|
||||
inline: |
|
||||
# This file controls the state of SELinux on the system.
|
||||
# SELINUX= can take one of these three values:
|
||||
# enforcing - SELinux security policy is enforced.
|
||||
# permissive - SELinux prints warnings instead of enforcing.
|
||||
# disabled - No SELinux policy is loaded.
|
||||
SELINUX=__SELINUX_MODE__
|
||||
# SELINUXTYPE= can take one of these three values:
|
||||
# targeted - Targeted processes are protected,
|
||||
# minimum - Modification of targeted policy. Only selected processes are protected.
|
||||
# mls - Multi Level Security protection.
|
||||
SELINUXTYPE=targeted
|
||||
overwrite: true
|
||||
- path: /etc/containers/libpod.conf
|
||||
# 420 (decimal) == 644 (octal)
|
||||
mode: 420
|
||||
@ -58,6 +79,7 @@ storage:
|
||||
contents:
|
||||
inline: |
|
||||
__HOSTNAME__
|
||||
overwrite: true
|
||||
- path: /etc/pki/ca-trust/source/anchors/openstack-ca.pem
|
||||
# 420 (decimal) == 644 (octal)
|
||||
mode: 420
|
||||
|
||||
@ -853,6 +853,14 @@ parameters:
|
||||
constraints:
|
||||
- allowed_values: [true]
|
||||
|
||||
selinux_mode:
|
||||
type: string
|
||||
description: >
|
||||
Choose SELinux mode
|
||||
default: "enforcing"
|
||||
constraints:
|
||||
- allowed_values: ["enforcing", "permissive", "disabled"]
|
||||
|
||||
kube_image_digest:
|
||||
type: string
|
||||
description: >
|
||||
@ -1219,6 +1227,7 @@ resources:
|
||||
ostree_remote: {get_param: ostree_remote}
|
||||
ostree_commit: {get_param: ostree_commit}
|
||||
use_podman: {get_param: use_podman}
|
||||
selinux_mode: {get_param: selinux_mode}
|
||||
kube_image_digest: {get_param: kube_image_digest}
|
||||
container_runtime: {get_param: container_runtime}
|
||||
containerd_version: {get_param: containerd_version}
|
||||
@ -1390,6 +1399,7 @@ resources:
|
||||
ostree_remote: {get_param: ostree_remote}
|
||||
ostree_commit: {get_param: ostree_commit}
|
||||
use_podman: {get_param: use_podman}
|
||||
selinux_mode: {get_param: selinux_mode}
|
||||
container_runtime: {get_param: container_runtime}
|
||||
containerd_version: {get_param: containerd_version}
|
||||
containerd_tarball_url: {get_param: containerd_tarball_url}
|
||||
|
||||
@ -608,6 +608,11 @@ parameters:
|
||||
description: >
|
||||
If true, run system containers for kubernetes, etcd and heat-agent
|
||||
|
||||
selinux_mode:
|
||||
type: string
|
||||
description: >
|
||||
Choose SELinux mode
|
||||
|
||||
kube_image_digest:
|
||||
type: string
|
||||
description: >
|
||||
@ -691,6 +696,7 @@ resources:
|
||||
__HTTP_PROXY__: {get_param: http_proxy}
|
||||
__HTTPS_PROXY__: {get_param: https_proxy}
|
||||
__NO_PROXY__: {get_param: no_proxy}
|
||||
__SELINUX_MODE__: {get_param: selinux_mode}
|
||||
|
||||
master_config:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
|
||||
@ -329,6 +329,11 @@ parameters:
|
||||
description: >
|
||||
If true, run system containers for kubernetes, etcd and heat-agent
|
||||
|
||||
selinux_mode:
|
||||
type: string
|
||||
description: >
|
||||
Choose SELinux mode
|
||||
|
||||
container_runtime:
|
||||
type: string
|
||||
description: The container runtime to install
|
||||
@ -381,6 +386,7 @@ resources:
|
||||
__HTTP_PROXY__: {get_param: http_proxy}
|
||||
__HTTPS_PROXY__: {get_param: https_proxy}
|
||||
__NO_PROXY__: {get_param: no_proxy}
|
||||
__SELINUX_MODE__: {get_param: selinux_mode}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
||||
@ -46,6 +46,21 @@
|
||||
}
|
||||
],
|
||||
"files": [
|
||||
{
|
||||
"group": {
|
||||
"name": "root"
|
||||
},
|
||||
"overwrite": true,
|
||||
"path": "/etc/selinux/config",
|
||||
"user": {
|
||||
"name": "root"
|
||||
},
|
||||
"contents": {
|
||||
"source": "data:,%23%20This%20file%20controls%20the%20state%20of%20SELinux%20on%20the%20system.%0A%23%20SELINUX%3D%20can%20take%20one%20of%20these%20three%20values%3A%0A%23%20%20%20%20%20enforcing%20-%20SELinux%20security%20policy%20is%20enforced.%0A%23%20%20%20%20%20permissive%20-%20SELinux%20prints%20warnings%20instead%20of%20enforcing.%0A%23%20%20%20%20%20disabled%20-%20No%20SELinux%20policy%20is%20loaded.%0ASELINUX%3D__SELINUX_MODE__%0A%23%20SELINUXTYPE%3D%20can%20take%20one%20of%20these%20three%20values%3A%0A%23%20%20%20%20%20targeted%20-%20Targeted%20processes%20are%20protected%2C%0A%23%20%20%20%20%20minimum%20-%20Modification%20of%20targeted%20policy.%20Only%20selected%20processes%20are%20protected.%0A%23%20%20%20%20%20mls%20-%20Multi%20Level%20Security%20protection.%0ASELINUXTYPE%3Dtargeted%0A",
|
||||
"verification": {}
|
||||
},
|
||||
"mode": 420
|
||||
},
|
||||
{
|
||||
"group": {
|
||||
"name": "root"
|
||||
@ -64,6 +79,7 @@
|
||||
"group": {
|
||||
"name": "root"
|
||||
},
|
||||
"overwrite": true,
|
||||
"path": "/etc/hostname",
|
||||
"user": {
|
||||
"name": "root"
|
||||
|
||||
@ -603,6 +603,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
|
||||
ostree_remote = mock_cluster.labels.get('ostree_remote')
|
||||
ostree_commit = mock_cluster.labels.get('ostree_commit')
|
||||
use_podman = mock_cluster.labels.get('use_podman')
|
||||
selinux_mode = mock_cluster.labels.get('selinux_mode')
|
||||
container_runtime = mock_cluster.labels.get('container_runtime')
|
||||
containerd_version = mock_cluster.labels.get('containerd_version')
|
||||
containerd_tarball_url = mock_cluster.labels.get(
|
||||
@ -713,6 +714,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
|
||||
'ostree_remote': ostree_remote,
|
||||
'ostree_commit': ostree_commit,
|
||||
'use_podman': use_podman,
|
||||
'selinux_mode': selinux_mode,
|
||||
'kube_image_digest': kube_image_digest,
|
||||
'container_runtime': container_runtime,
|
||||
'containerd_version': containerd_version,
|
||||
@ -1104,6 +1106,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
|
||||
ostree_remote = mock_cluster.labels.get('ostree_remote')
|
||||
ostree_commit = mock_cluster.labels.get('ostree_commit')
|
||||
use_podman = mock_cluster.labels.get('use_podman')
|
||||
selinux_mode = mock_cluster.labels.get('selinux_mode')
|
||||
container_runtime = mock_cluster.labels.get('container_runtime')
|
||||
containerd_version = mock_cluster.labels.get('containerd_version')
|
||||
containerd_tarball_url = mock_cluster.labels.get(
|
||||
@ -1216,6 +1219,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
|
||||
'ostree_remote': ostree_remote,
|
||||
'ostree_commit': ostree_commit,
|
||||
'use_podman': use_podman,
|
||||
'selinux_mode': selinux_mode,
|
||||
'kube_image_digest': kube_image_digest,
|
||||
'container_runtime': container_runtime,
|
||||
'containerd_version': containerd_version,
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Add selinux_mode label. By default, selinux_mode=permissive with Fedora
|
||||
Atomic driver and selinux_mode=enforcing with Fedora CoreOS.
|
||||
Loading…
Reference in New Issue
Block a user