Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm: add logic to enforce SELinux for Cilium CNI in Flatcar >= 3745 #461

Merged
merged 5 commits into from
Oct 10, 2023
Merged

kubeadm: add logic to enforce SELinux for Cilium CNI in Flatcar >= 3745 #461

merged 5 commits into from
Oct 10, 2023

Conversation

tormath1
Copy link
Contributor

@tormath1 tormath1 commented Oct 9, 2023
edited
Loading

In this PR, we enforce SELinux only for Flatcar >= 3745 for Cilium CNI while SELinux update did not go through all the channels and we bring back the Cilium daemon set patch: 305777e only applied on system where the selinux update did not land yet.

Testing done

  • QEMU alpha-3732.0.0: check that SELinux is in Permissive mode
  • QEMU alpha-3745.0.0: check that SELinux is in Enforce mode

Tested on OpenStack against current stable and current alpha:

$ kola -d -v --platform openstack --openstack-image flatcar-stable run kubeadm.v1.28.1.cilium.base
=== RUN   kubeadm.v1.28.1.cilium.base
2023-10-09T15:24:54Z kola/tests/kubeadm: creating etcd node
2023-10-09T15:25:44Z kola/tests/kubeadm: Setting SELinux to permissive mode
2023-10-09T15:25:44Z kola/tests/etcd: cluster healthy
...
    --- PASS: kubeadm.v1.28.1.cilium.base/node_readiness (21.52s)
    --- PASS: kubeadm.v1.28.1.cilium.base/nginx_deployment (12.27s)
    --- PASS: kubeadm.v1.28.1.cilium.base/IPSec_encryption (21.50s)
PASS, output in _kola_temp/openstack-2023-10-09-1724-101
$ kola -d -v --platform openstack --openstack-image flatcar-alpha run kubeadm.v1.28.1.cilium.base
=== RUN   kubeadm.v1.28.1.cilium.base
2023-10-09T15:30:42Z kola/tests/kubeadm: creating etcd node
2023-10-09T15:31:28Z kola/tests/etcd: cluster healthy
2023-10-09T15:31:28Z kola/tests/kubeadm: creating master node
...
    --- PASS: kubeadm.v1.28.1.cilium.base/node_readiness (21.88s)
    --- PASS: kubeadm.v1.28.1.cilium.base/nginx_deployment (12.54s)
    --- PASS: kubeadm.v1.28.1.cilium.base/IPSec_encryption (19.34s)
PASS, output in _kola_temp/openstack-2023-10-09-1740-106175

@tormath1 tormath1 self-assigned this Oct 9, 2023
@tormath1 tormath1 marked this pull request as ready for review October 9, 2023 16:01
@tormath1 tormath1 requested a review from a team October 9, 2023 16:06
krnowak
krnowak reviewed Oct 10, 2023
View reviewed changes
kola/tests/kubeadm/kubeadm.go Outdated Show resolved Hide resolved
kola/tests/kubeadm/templates.go Outdated Show resolved Hide resolved
kola/tests/kubeadm/testdata/master-cilium-script.sh Outdated
@@ -91,6 +91,7 @@ EOF
--config enable-endpoint-routes=true \
--config cluster-pool-ipv4-cidr=192.168.0.0/17 \
--version=v0.11.1 2>&1 | iconv --from-code utf-8 --to-code ascii//TRANSLIT
grep -q svirt_lxc_file_t /etc/selinux/mcs/contexts/lxc_contexts && kubectl --namespace kube-system patch daemonset/cilium -p '{"spec":{"template":{"spec":{"containers":[{"name":"cilium-agent","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}}],"initContainers":[{"name":"mount-cgroup","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}},{"name":"apply-sysctl-overwrites","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}},{"name":"clean-cilium-state","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}}]}}}}'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here.

@tormath1
platform: change signature of RuntimeConf to get a pointer
fa87c37 
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1
platform: add RuntimeConf method to the Cluster interface
35f0437 
Adding this method allows to access the runtime configuration in a test
to get/set values based on some conditions.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1
kubeadm: add logic to enforce SELinux for Cilium CNI in Flatcar >= 3745
1d7ef28 
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1
kubeadm/cilium: patch Cilium daemon set
ef60b06 
This is required even with Permissive mode. Can be dropped once `spc_t`
is supported on Flatcar.

Picked-From: e8e9751
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1
kubeadm: apply Cilium patch only when container_t is unavailable
daead39 
container_t brings 'spc_t' too which is required by Cilium. We patch the
daemon-set only when the old label ('svirt_lxc_file_t') is detected.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1 tormath1 merged commit 96843d2 into flatcar-master Oct 10, 2023
2 checks passed
@tormath1 tormath1 deleted the tormath1/cilium-selinux branch October 10, 2023 08:31
@github-actions github-actions bot mentioned this pull request Nov 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krnowak krnowak krnowak approved these changes

Assignees

@tormath1 tormath1

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tormath1 @krnowak