Most of the network plugins I've tested with Kubeadm have an issue running with SELinux confinement, which is one of the reasons why the upstream docs suggest putting SELinux into permissive mode. There are a couple of ways to avoid disabling this security feature on your host, however. I typically edit the yaml file that configures the network plugin to tell Kubernetes to run the plugin as type spc_t, which leaves its containers unconfined by SELinux.
spc_t
For instance, here's a portion of the Flannel plugin yaml that I've edited:
spec: template: metadata: labels: tier: node app: flannel spec: securityContext: seLinuxOptions: type: "spc_t" hostNetwork: true
The three lines beginning with securityContext: go in right before the hostNetwork: true line. This same trick should work in any of the network plugin yaml files.
securityContext:
hostNetwork: true
I suggest that we work to get this change -- or a better confined approach -- into all of these plugins https://kubernetes.io/docs/concepts/cluster-administration/addons/ so that people can use them without running SELInux in permissive mode on their hosts.
Login to comment on this ticket.