Fix issue with SELinux and akri (#126)

* Fix issue with SELinux and akri Make the agent container privileged, so that SELinux doesn't prevent it from working. For the context, SELinux denies access to the containerd socket for non-privileged containers. This policy is sensible and one may argue that giving access to that socket is already akin to making the container privileged. Signed-off-by: Nicolas Belouin <[email protected]> * Make charts Signed-off-by: Nicolas Belouin <[email protected]> * Fix default value of security context for agent Signed-off-by: Nicolas Belouin <[email protected]> * Make charts Signed-off-by: Nicolas Belouin <[email protected]> --------- Signed-off-by: Nicolas Belouin <[email protected]>
suse-edge · Apr 25, 2024 · 2cd22cd · 2cd22cd
1 parent 5ed2fad
commit 2cd22cd
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 13 deletions.
diff --git a/assets/akri/akri-0.12.20.tgz b/assets/akri/akri-0.12.20.tgz
diff --git a/charts/akri/0.12.20/templates/agent.yaml b/charts/akri/0.12.20/templates/agent.yaml
@@ -53,6 +53,9 @@ spec:
         {{- if .Values.agent.securityContext }}
         securityContext:
         {{- toYaml .Values.agent.securityContext | nindent 10 }}
+        {{- else }}
+        securityContext:
+          privileged: true
         {{- end}}
         env:
           {{- if .Values.agent.allowDebugEcho }}

diff --git a/charts/akri/0.12.20/values.yaml b/charts/akri/0.12.20/values.yaml
@@ -94,9 +94,7 @@ agent:
     # pullPolicy is the Akri Agent pull policy
     pullPolicy: ""
   securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop: ["ALL"]
+    privileged: true
   host:
     # discoveryHandlers is the location of Akri Discovery Handler sockets and
     # the agent registration service

diff --git a/index.yaml b/index.yaml
@@ -5,9 +5,9 @@ entries:
       catalog.cattle.io/display-name: Akri
     apiVersion: v2
     appVersion: 0.12.20
-    created: "2024-04-24T10:18:46.368590141+02:00"
+    created: "2024-04-25T15:27:44.833499556+02:00"
     description: A Helm chart for Akri
-    digest: f1f6760018f4171ce14432486105b84cd6389d878cb98ebd36283a7abc2493b7
+    digest: 268a15da8e39d827d73dfc2bc3c843074ed6209c447636f5847dce8cfde3d7b2
     icon: https://raw.githubusercontent.com/project-akri/akri-docs/main/art/icon/akri-icon-light.svg
     name: akri
     type: application

diff --git a/packages/akri/generated-changes/patch/templates/agent.yaml.patch b/packages/akri/generated-changes/patch/templates/agent.yaml.patch
@@ -21,7 +21,17 @@
          {{- if .Values.useDevelopmentContainers }}
          {{- if .Values.useLatestContainers }}
          image: {{ printf "%s:%s" $repository (default "latest-dev" .Values.agent.image.tag) | quote }}
-@@ -68,7 +63,7 @@
+@@ -58,6 +53,9 @@
+         {{- if .Values.agent.securityContext }}
+         securityContext:
+         {{- toYaml .Values.agent.securityContext | nindent 10 }}
++        {{- else }}
++        securityContext:
++          privileged: true
+         {{- end}}
+         env:
+           {{- if .Values.agent.allowDebugEcho }}
+@@ -68,7 +66,7 @@
              value: {{ .Values.debugEcho.configuration.shared | quote }}
            {{- end }}
            - name: HOST_CRICTL_PATH
@@ -30,7 +40,7 @@
            - name: HOST_RUNTIME_ENDPOINT
              value: unix:///host/run/containerd/containerd.sock
            - name: HOST_IMAGE_ENDPOINT
-@@ -128,4 +123,4 @@
+@@ -128,4 +126,4 @@
          hostPath:
            path: "{{ .Values.agent.host.udev }}"
        {{- end }}

diff --git a/packages/akri/generated-changes/patch/values.yaml.patch b/packages/akri/generated-changes/patch/values.yaml.patch
@@ -33,7 +33,18 @@
      # tag is the Akri Agent container tag
      # agent.yaml will default to v(AppVersion)[-dev]
      # with `-dev` added if `useDevelopmentContainers` is specified
-@@ -234,6 +230,8 @@
+@@ -98,9 +94,7 @@
+     # pullPolicy is the Akri Agent pull policy
+     pullPolicy: ""
+   securityContext:
+-    allowPrivilegeEscalation: false
+-    capabilities:
+-      drop: ["ALL"]
++    privileged: true
+   host:
+     # discoveryHandlers is the location of Akri Discovery Handler sockets and
+     # the agent registration service
+@@ -234,6 +228,8 @@
        protocol: TCP
    # discovery defines a set of values for a custom discovery handler DaemonSet
    discovery: 
@@ -42,7 +53,7 @@
      # enabled defines whether discovery handler pods will be deployed in a slim Agent scenario
      enabled: false
      # name is the Kubernetes resource name that will be created for this
-@@ -378,7 +376,7 @@
+@@ -378,7 +374,7 @@
      enabled: false
      image:
        # repository is the container reference
@@ -51,7 +62,7 @@
        # tag is the container tag
        # debug-echo-configuration.yaml will default to v(AppVersion)[-dev]
        # with `-dev` added if `useDevelopmentContainers` is specified
-@@ -528,7 +526,7 @@
+@@ -528,7 +524,7 @@
      enabled: false
      image:
        # repository is the container reference
@@ -60,7 +71,7 @@
        # tag is the container tag
        # onvif-configuration.yaml will default to v(AppVersion)[-dev]
        # with `-dev` added if `useDevelopmentContainers` is specified
-@@ -671,7 +669,7 @@
+@@ -671,7 +667,7 @@
      enabled: false
      image:
        # repository is the container reference
@@ -69,7 +80,7 @@
        # tag is the container tag
        # opcua-configuration.yaml will default to v(AppVersion)[-dev]
        # with `-dev` added if `useDevelopmentContainers` is specified
-@@ -807,7 +805,7 @@
+@@ -807,7 +803,7 @@
      enabled: false
      image:
        # repository is the container reference
@@ -78,7 +89,7 @@
        # tag is the container tag
        # udev-configuration.yaml will default to v(AppVersion)[-dev]
        # with `-dev` added if `useDevelopmentContainers` is specified
-@@ -848,7 +846,7 @@
+@@ -848,7 +844,7 @@
    caBundle: null
    image:
      # repository is the Akri Webhook for Configurations image reference