Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flannel >= 0.17.0 is crashing with enforced SELinux #779

Open
tormath1 opened this issue Jun 16, 2022 · 3 comments
Open

Flannel >= 0.17.0 is crashing with enforced SELinux #779

tormath1 opened this issue Jun 16, 2022 · 3 comments
Labels
area/selinux Issues related to SELinux kind/bug Something isn't working

Comments

@tormath1
Copy link
Contributor

Description

While integrating kubernetes-1.24.1, we bumped the flannel tested version from 0.16.3 to 0.18.1 - we notified that the kube-flannel daemon set is unable to start because of missing SELinux rule:

Jun 10 14:47:54 localhost kernel: audit: type=1400 audit(1654872474.130:1604): avc:  denied  { read } for  pid=6286 comm="iptables" name="xtables.lock" dev="tmpfs" ino=1366 scontext=system_u:system_r:svirt_lxc_net_t:s0:c336,c891 tcontext=system_u:object_r:iptables_runtime_t:s0 tclass=file permissive=0

The issue has always been there but silently ignored until this commit: flannel-io/flannel@9dfcc87#diff-27988e531dd370eec963c5e4e9be79bb158baa292798a2f59a13a031e1ab8f6aR196

Impact

Unable to run Kubernetes with flannel CNI in enforced SELinux environment

Environment and steps to reproduce

  1. Can be reproduced with Kubeadm test: kubeadm.v1.23.4.flannel.base

Additional information
@tormath1 tormath1 added kind/bug Something isn't working area/selinux Issues related to SELinux labels Jun 16, 2022
@tormath1 tormath1 mentioned this issue Jun 16, 2022
Open
1 task
tormath1 added a commit to flatcar/mantle that referenced this issue Jun 16, 2022
@tormath1
kola/kubeadm: do not activate SELinux for Flannel
8e8116b 
Can be reverted once:
flatcar/Flatcar#779 done

Signed-off-by: Mathieu Tortuyaux <[email protected]>
tormath1 added a commit to flatcar/mantle that referenced this issue Jun 23, 2022
@tormath1
kola/kubeadm: do not activate SELinux for Flannel
62b9489 
Can be reverted once:
flatcar/Flatcar#779 done

Signed-off-by: Mathieu Tortuyaux <[email protected]>
@pothos pothos moved this from No Status to Upcoming / Backlog in Flatcar tactical, release planning, and roadmap May 22, 2023
@krishjainx
Copy link

@tormath1 Perhaps I misunderstand but what more work has to be done here. Doesn't the successful incorporation of sec-policy/selinux-container solve this? Thanks!

@krishjainx
Copy link

If this is the case, the docs should be updated to reflect the fix

@tormath1
Copy link
Contributor Author

tormath1 commented Jun 2, 2023

@krishjainx thanks for the heads-up. Pulling selinux-container policy should be enough but it takes an upgrade of others Flatcar policy too (which is done here: flatcar-archive/coreos-overlay#1993). We could try to split the work and first upgrade the policies then after try to relabel the system. :)

@tormath1 tormath1 mentioned this issue Sep 22, 2023
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/selinux Issues related to SELinux kind/bug Something isn't working
Projects
Flatcar tactical, release planning, and roadmap
Status: 🪵Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tormath1 @krishjainx