Add selinux_mode label

Fedora Atomic default: permissive
Fedora CoreOS default: enforcing

Story: 2007413
Task: 39033

Change-Id: Ibc1e02098155ac95bb35fcea5f21cc380bdf0d03
Signed-off-by: Bharat Kunwar <brtknr@bath.edu>
This commit is contained in:
Bharat Kunwar 2020-03-28 17:57:25 +00:00
parent b146c28820
commit fd80e1989f
13 changed files with 119 additions and 7 deletions

View File

@ -448,6 +448,10 @@ the table are linked to more details elsewhere in the user guide.
| `use_podman`_ | - true | see below |
| | - false | |
+---------------------------------------+--------------------+---------------+
| `selinux_mode`_ | - enforcing | see below |
| | - permissive | |
| | - disabled | |
+---------------------------------------+--------------------+---------------+
| `container_runtime`_ | - "" | "" |
| | - containerd | |
+---------------------------------------+--------------------+---------------+
@ -1222,7 +1226,7 @@ _`kube_tag`
container tag for `Fedora Atomic
<https://hub.docker.com/r/openstackmagnum/kubernetes-apiserver/tags/>`_ or
`Fedora CoreOS and Fedora Atomic (with use_podman=true label)
<https://github.com/kubernetes/kubernetes/releases>_`. If unset, the current
<https://github.com/kubernetes/kubernetes/releases>`_. If unset, the current
Magnum version's default Kubernetes release is installed. `Take a look at
the Wiki for a compatibility matrix between Kubernetes and Magnum Releases
<https://wiki.openstack.org/wiki/Magnum#Compatibility_Matrix>`_.
@ -1507,6 +1511,20 @@ _`use_podman`
necessary since v1.16 dropped the --containerized flag in kubelet.
https://github.com/kubernetes/kubernetes/pull/80043/files
_`selinux_mode`
Choose `SELinux mode between enforcing, permissive and disabled
<http://man7.org/linux/man-pages/man5/selinux_config.5.html>`_. This label
is currently only relevant for k8s_fedora drivers.
k8s_fedora_atomic_v1 driver defaults to selinux_mode=permissive because this
was the only way atomic containers were able to start Kubernetes services. On
the other hand, if the opt-in use_podman=true label is supplied,
selinux_mode=enforcing is supported. Note that if selinux_mode=disabled is
chosen, this only takes full effect once the instances are manually rebooted
but they will be set to permissive mode in the meantime.
k8s_fedora_coreos_v1 driver defaults to selinux_mode=enforcing.
_`container_runtime`
The container runtime to use. Empty value means, use docker from the
host. Since ussuri, apart from empty (host-docker), containerd is also

View File

@ -1,8 +1,7 @@
#cloud-boothook
#!/bin/sh
setenforce 0
setenforce `[[ "$SELINUX_MODE" == "enforcing" ]] && echo 1 || echo 0`
sed -i '
/^SELINUX=/ s/=.*/=permissive/
/^SELINUX=/ s/=.*/=$SELINUX_MODE/
' /etc/selinux/config

View File

@ -102,6 +102,7 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition):
'prometheus_adapter_enabled',
'prometheus_adapter_chart_tag',
'prometheus_adapter_configmap',
'selinux_mode',
'tiller_enabled',
'tiller_tag',
'tiller_namespace',

View File

@ -851,6 +851,14 @@ parameters:
default:
false
selinux_mode:
type: string
description: >
Choose SELinux mode
default: "permissive"
constraints:
- allowed_values: ["enforcing", "permissive", "disabled"]
kube_image_digest:
type: string
description: >
@ -1216,6 +1224,7 @@ resources:
ostree_remote: {get_param: ostree_remote}
ostree_commit: {get_param: ostree_commit}
use_podman: {get_param: use_podman}
selinux_mode: {get_param: selinux_mode}
container_runtime: {get_param: container_runtime}
containerd_version: {get_param: containerd_version}
containerd_tarball_url: {get_param: containerd_tarball_url}
@ -1385,6 +1394,7 @@ resources:
ostree_remote: {get_param: ostree_remote}
ostree_commit: {get_param: ostree_commit}
use_podman: {get_param: use_podman}
selinux_mode: {get_param: selinux_mode}
container_runtime: {get_param: container_runtime}
containerd_version: {get_param: containerd_version}
containerd_tarball_url: {get_param: containerd_tarball_url}

View File

@ -604,6 +604,11 @@ parameters:
description: >
if true, run system containers for kubernetes, etcd and heat-agent
selinux_mode:
type: string
description: >
Choose SELinux mode
container_runtime:
type: string
description: The container runtime to install
@ -635,7 +640,6 @@ conditions:
- get_param: boot_volume_size
- 0
resources:
######################################################################
#
@ -678,7 +682,10 @@ resources:
$HTTP_PROXY: {get_param: http_proxy}
$HTTPS_PROXY: {get_param: https_proxy}
$NO_PROXY: {get_param: no_proxy}
- get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh
- str_replace:
template: {get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh}
params:
$SELINUX_MODE: {get_param: selinux_mode}
master_config:
type: OS::Heat::SoftwareConfig

View File

@ -327,6 +327,11 @@ parameters:
description: >
if true, run system containers for kubernetes, etcd and heat-agent
selinux_mode:
type: string
description: >
Choose SELinux mode
container_runtime:
type: string
description: The container runtime to install
@ -376,7 +381,10 @@ resources:
$HTTP_PROXY: {get_param: http_proxy}
$HTTPS_PROXY: {get_param: https_proxy}
$NO_PROXY: {get_param: no_proxy}
- get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh
- str_replace:
template: {get_file: ../../common/templates/kubernetes/fragments/disable-selinux.sh}
params:
$SELINUX_MODE: {get_param: selinux_mode}
######################################################################
#

View File

@ -35,6 +35,27 @@ storage:
group:
name: root
files:
- path: /etc/selinux/config
# 420 (decimal) == 644 (octal)
mode: 420
group:
name: root
user:
name: root
contents:
inline: |
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=__SELINUX_MODE__
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
overwrite: true
- path: /etc/containers/libpod.conf
# 420 (decimal) == 644 (octal)
mode: 420
@ -58,6 +79,7 @@ storage:
contents:
inline: |
__HOSTNAME__
overwrite: true
- path: /etc/pki/ca-trust/source/anchors/openstack-ca.pem
# 420 (decimal) == 644 (octal)
mode: 420

View File

@ -853,6 +853,14 @@ parameters:
constraints:
- allowed_values: [true]
selinux_mode:
type: string
description: >
Choose SELinux mode
default: "enforcing"
constraints:
- allowed_values: ["enforcing", "permissive", "disabled"]
kube_image_digest:
type: string
description: >
@ -1219,6 +1227,7 @@ resources:
ostree_remote: {get_param: ostree_remote}
ostree_commit: {get_param: ostree_commit}
use_podman: {get_param: use_podman}
selinux_mode: {get_param: selinux_mode}
kube_image_digest: {get_param: kube_image_digest}
container_runtime: {get_param: container_runtime}
containerd_version: {get_param: containerd_version}
@ -1390,6 +1399,7 @@ resources:
ostree_remote: {get_param: ostree_remote}
ostree_commit: {get_param: ostree_commit}
use_podman: {get_param: use_podman}
selinux_mode: {get_param: selinux_mode}
container_runtime: {get_param: container_runtime}
containerd_version: {get_param: containerd_version}
containerd_tarball_url: {get_param: containerd_tarball_url}

View File

@ -608,6 +608,11 @@ parameters:
description: >
If true, run system containers for kubernetes, etcd and heat-agent
selinux_mode:
type: string
description: >
Choose SELinux mode
kube_image_digest:
type: string
description: >
@ -691,6 +696,7 @@ resources:
__HTTP_PROXY__: {get_param: http_proxy}
__HTTPS_PROXY__: {get_param: https_proxy}
__NO_PROXY__: {get_param: no_proxy}
__SELINUX_MODE__: {get_param: selinux_mode}
master_config:
type: OS::Heat::SoftwareConfig

View File

@ -329,6 +329,11 @@ parameters:
description: >
If true, run system containers for kubernetes, etcd and heat-agent
selinux_mode:
type: string
description: >
Choose SELinux mode
container_runtime:
type: string
description: The container runtime to install
@ -381,6 +386,7 @@ resources:
__HTTP_PROXY__: {get_param: http_proxy}
__HTTPS_PROXY__: {get_param: https_proxy}
__NO_PROXY__: {get_param: no_proxy}
__SELINUX_MODE__: {get_param: selinux_mode}
######################################################################
#

View File

@ -46,6 +46,21 @@
}
],
"files": [
{
"group": {
"name": "root"
},
"overwrite": true,
"path": "/etc/selinux/config",
"user": {
"name": "root"
},
"contents": {
"source": "data:,%23%20This%20file%20controls%20the%20state%20of%20SELinux%20on%20the%20system.%0A%23%20SELINUX%3D%20can%20take%20one%20of%20these%20three%20values%3A%0A%23%20%20%20%20%20enforcing%20-%20SELinux%20security%20policy%20is%20enforced.%0A%23%20%20%20%20%20permissive%20-%20SELinux%20prints%20warnings%20instead%20of%20enforcing.%0A%23%20%20%20%20%20disabled%20-%20No%20SELinux%20policy%20is%20loaded.%0ASELINUX%3D__SELINUX_MODE__%0A%23%20SELINUXTYPE%3D%20can%20take%20one%20of%20these%20three%20values%3A%0A%23%20%20%20%20%20targeted%20-%20Targeted%20processes%20are%20protected%2C%0A%23%20%20%20%20%20minimum%20-%20Modification%20of%20targeted%20policy.%20Only%20selected%20processes%20are%20protected.%0A%23%20%20%20%20%20mls%20-%20Multi%20Level%20Security%20protection.%0ASELINUXTYPE%3Dtargeted%0A",
"verification": {}
},
"mode": 420
},
{
"group": {
"name": "root"
@ -64,6 +79,7 @@
"group": {
"name": "root"
},
"overwrite": true,
"path": "/etc/hostname",
"user": {
"name": "root"

View File

@ -603,6 +603,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
ostree_remote = mock_cluster.labels.get('ostree_remote')
ostree_commit = mock_cluster.labels.get('ostree_commit')
use_podman = mock_cluster.labels.get('use_podman')
selinux_mode = mock_cluster.labels.get('selinux_mode')
container_runtime = mock_cluster.labels.get('container_runtime')
containerd_version = mock_cluster.labels.get('containerd_version')
containerd_tarball_url = mock_cluster.labels.get(
@ -713,6 +714,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
'ostree_remote': ostree_remote,
'ostree_commit': ostree_commit,
'use_podman': use_podman,
'selinux_mode': selinux_mode,
'kube_image_digest': kube_image_digest,
'container_runtime': container_runtime,
'containerd_version': containerd_version,
@ -1104,6 +1106,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
ostree_remote = mock_cluster.labels.get('ostree_remote')
ostree_commit = mock_cluster.labels.get('ostree_commit')
use_podman = mock_cluster.labels.get('use_podman')
selinux_mode = mock_cluster.labels.get('selinux_mode')
container_runtime = mock_cluster.labels.get('container_runtime')
containerd_version = mock_cluster.labels.get('containerd_version')
containerd_tarball_url = mock_cluster.labels.get(
@ -1216,6 +1219,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
'ostree_remote': ostree_remote,
'ostree_commit': ostree_commit,
'use_podman': use_podman,
'selinux_mode': selinux_mode,
'kube_image_digest': kube_image_digest,
'container_runtime': container_runtime,
'containerd_version': containerd_version,

View File

@ -0,0 +1,5 @@
---
features:
- |
Add selinux_mode label. By default, selinux_mode=permissive with Fedora
Atomic driver and selinux_mode=enforcing with Fedora CoreOS.