-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow kubelet_t to create a sock file kubelet_var_lib_t #329
Conversation
We were not able to find or create Copr project
Unless the HTTP status code above is >= 500, please check your configuration for:
|
@lsm5 ANy idea what is blowing up with rpm-builds? |
Ephemeral COPR build failed. @containers/packit-build please check. |
Tests failed. @containers/packit-build please check. |
Ephemeral COPR build failed. @containers/packit-build please check. |
Tests failed. @containers/packit-build please check. |
@rhatdan After testing it locally on my nodes I got the following error under the pods:
The pods are running with the
|
My bad it the pod was suppose to be running as But as I said in my previous comment, maybe i'm testing it wrong because I didn't manage to build the package and fully load it on my system. |
@Tal-or would you be able to install the package built in the CI copr jobs. See https://copr.fedorainfracloud.org/coprs/packit/containers-container-selinux-329/build/8024924/ |
Thank you @lsm5 are those builds compatible with RHCOS ? |
Thank you @lsm5 I managed to install the package, using: https://download.copr.fedorainfracloud.org/results/packit/containers-container-selinux-329/epel-9-x86_64/08024926-container-selinux/ @rhatdan We're still having an issue with transitioning the socket from
If i'm running This are the rules I extracted from the
|
Can you remove the kubelet.sock and restart the service to see if it gets created with the wrong label? |
It does created with the wrong label. I checked that. |
|
I think I found a way:
with
this transition works and kubelet.sock will inherent |
We want to allow container_device_plugin_t to communicate with kublet_t over a kubelet_var_lib_t socket. Signed-off-by: Daniel J Walsh <[email protected]>
@rhatdan I tested and verified locally on my system and it works as expected. |
needed due to: containers/container-selinux#329 Signed-off-by: Talor Itzhak <[email protected]>
podresources API context has changed to kubelet_var_lib_t: containers/container-selinux#329 Adjust the custom policy to allow access to this new file context. Signed-off-by: Talor Itzhak <[email protected]>
podresources API context has changed to kubelet_var_lib_t: containers/container-selinux#329 Adjust the custom policy to allow access to this new file context. Signed-off-by: Talor Itzhak <[email protected]>
podresources API context has changed to kubelet_var_lib_t: containers/container-selinux#329 Adjust the custom policy to allow access to this new file context. Signed-off-by: Talor Itzhak <[email protected]>
No description provided.