#3 patch upstream network plugins to work with SELinux
Opened 4 years ago by jasonbrooks. Modified 4 years ago

Most of the network plugins I've tested with Kubeadm have an issue running with SELinux confinement, which is one of the reasons why the upstream docs suggest putting SELinux into permissive mode. There are a couple of ways to avoid disabling this security feature on your host, however. I typically edit the yaml file that configures the network plugin to tell Kubernetes to run the plugin as type spc_t, which leaves its containers unconfined by SELinux.

For instance, here's a portion of the Flannel plugin yaml that I've edited:

spec:
  template:
    metadata:
      labels:
        tier: node
        app: flannel
    spec:
      securityContext:
        seLinuxOptions:
          type: "spc_t"
      hostNetwork: true

The three lines beginning with securityContext: go in right before the hostNetwork: true line. This same trick should work in any of the network plugin yaml files.

I suggest that we work to get this change -- or a better confined approach -- into all of these plugins https://kubernetes.io/docs/concepts/cluster-administration/addons/ so that people can use them without running SELInux in permissive mode on their hosts.


Login to comment on this ticket.

Metadata