Website: You shouldn't disable SELinux
This is a Feature Request
What would you like to be added
current state
The docs tell the admin to disable SELinux / set it into permissive mode.
E.g this example from the kubeadm installation.
# Set SELinux in permissive mode (effectively disabling it)
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
what I would like to see
I'm not an SELinux Expert, but I recognized the OpenShift Installer just enables the container_manage_cgroup and that's it.
Why is this needed
I think that's a much better approach to security than the current state.
rmetzler
All 14 comments
Looks like the bit that needs fixing is https://kubernetes.io/docs/setup/independent/install-kubeadm/#installing-kubeadm-kubelet-and-kubectl - the tab for “CentOS, RHEL, or Fedora”
Currently there's an aside:
Setting SELinux in permissive mode by running setenforce 0 and sed ... effectively disables it. This is required to allow containers to access the host filesystem, which is needed by pod networks for example. You have to do this until SELinux support is improved in the kubelet.
Maybe that's true. I haven't yet looked for an issue against kubelet that would track that.
sftim
on 23 May 2019
@rmetzler
a PR with a better solution is welcome but until then this is the only reliable solution that we know of.
original PR (has linked bug reports):
https://github.com/kubernetes/website/pull/10150
file that has to be changed:
https://github.com/kubernetes/website/blob/master/content/en/docs/setup/independent/install-kubeadm.md
/sig cluster-lifecycle
/help
cc @rosti
neolit123
on 25 May 2019
@neolit123:
This request has been marked as needing help from a contributor.
Please ensure the request meets the requirements listed here.
If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.
In response to this:
@rmetzler
a PR with a better solution is welcome but until then this is the only reliable solution that we know of.
original PR (has linked bug reports):
https://github.com/kubernetes/website/pull/10150file that has to be changed:
https://github.com/kubernetes/website/blob/master/content/en/docs/setup/independent/install-kubeadm.md/sig cluster-lifecycle
/helpcc @rosti
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
k8s-ci-robot
on 25 May 2019
/language en
sftim
on 26 May 2019
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 24 Aug 2019
This presents a big problem for STIG compliance.
/remove-lifecycle stale
zulrang
on 16 Sep 2019
/priority backlog
sftim
on 26 Sep 2019
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 25 Dec 2019
Needed for hardening server profiles.
/remove-lifecycle stale
VanagaS
on 2 Jan 2020
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 1 Apr 2020
Anyone tried running kubernetes by enabling seboolean container_manage_cgroup yet with good results ?
What's preventing the documentation from being updated to just enable this selinux boolean rather than disabling selinux alltogether ?
/remove-lifecycle stale
jfcgaspar
on 22 Apr 2020
@jfcgaspar i don't think container_manage_cgroup is sufficient.
see https://github.com/kubernetes/kubeadm/issues/279
security contexts on Linux are a mess and i don't think we have the capacity to handle all that in the kubeadm docs.
instead of saying:
Set SELinux in permissive mode (effectively disabling it)
we can add a note for users that know what they are doing to not disable it but to be aware that it might require a set of changes that kubeadm does not provide support for.
PRs for such a clarification are welcome.
neolit123
on 22 Apr 2020
given this note here merged https://github.com/kubernetes/website/pull/20503/files
You can leave SELinux enabled if you know how to configure it but it may require settings that are not supported by kubeadm.
i'm going to go ahead and close this ticket.
thanks
/close
neolit123
on 29 May 2020
@neolit123: Closing this issue.
In response to this:
given this note here merged https://github.com/kubernetes/website/pull/20503/files
You can leave SELinux enabled if you know how to configure it but it may require settings that are not supported by kubeadm.
i'm going to go ahead and close this ticket.
thanks
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
k8s-ci-robot
on 29 May 2020
Related issues
gochist
·
3Comments
seokho-son
·
3Comments
dheerujava
·
4Comments
zacharysarah
·
4Comments
sftim
·
3Comments
Most helpful comment
This presents a big problem for STIG compliance.
/remove-lifecycle stale