Skip to content

Commit

Permalink
Merge pull request #276 from k8stopologyawareschedwg/selinux-cleanups…
Browse files Browse the repository at this point in the history
…-0.17

 [release-0.17] selinux cleanups
  • Loading branch information
ffromani authored Feb 8, 2024
2 parents 487988a + 6143991 commit 466fedb
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 2 deletions.
1 change: 0 additions & 1 deletion pkg/assets/selinux/policy/ocp_v4.14.cil
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,5 @@
;
; Allow to RTE pod connect, read and write permissions to /var/lib/kubelet/pod-resource/kubelet.sock
(allow process container_var_lib_t (sock_file (open getattr read write ioctl lock append)))
(allow process container_var_lib_t (unix_stream_socket (connectto)))
(allow process kubelet_t (unix_stream_socket (connectto)))
)
1 change: 0 additions & 1 deletion pkg/assets/selinux/policy/ocp_v4.15.cil
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,5 @@
;
; Allow to RTE pod connect, read and write permissions to /var/lib/kubelet/pod-resource/kubelet.sock
(allow process container_var_lib_t (sock_file (open getattr read write ioctl lock append)))
(allow process container_var_lib_t (unix_stream_socket (connectto)))
(allow process kubelet_t (unix_stream_socket (connectto)))
)
22 changes: 22 additions & 0 deletions pkg/commands/render.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
"github.com/spf13/cobra"
"sigs.k8s.io/controller-runtime/pkg/client"

selinuxassets "github.com/k8stopologyawareschedwg/deployer/pkg/assets/selinux"
"github.com/k8stopologyawareschedwg/deployer/pkg/deploy"
"github.com/k8stopologyawareschedwg/deployer/pkg/deployer"
"github.com/k8stopologyawareschedwg/deployer/pkg/deployer/platform"
Expand Down Expand Up @@ -50,6 +51,7 @@ func NewRenderCommand(env *deployer.Environment, commonOpts *deploy.Options) *co
render.AddCommand(NewRenderAPICommand(env, commonOpts, opts))
render.AddCommand(NewRenderSchedulerPluginCommand(env, commonOpts, opts))
render.AddCommand(NewRenderTopologyUpdaterCommand(env, commonOpts, opts))
render.AddCommand(NewRenderPolicyCommand(env, commonOpts, opts))
return render
}

Expand Down Expand Up @@ -191,3 +193,23 @@ func RenderManifests(env *deployer.Environment, commonOpts *deploy.Options) erro

return manifests.RenderObjects(objs, os.Stdout)
}

func NewRenderPolicyCommand(env *deployer.Environment, commonOpts *deploy.Options, opts *RenderOptions) *cobra.Command {
render := &cobra.Command{
Use: "policy",
Short: "render the SELinux policy needed for topology-aware-scheduling",
RunE: func(cmd *cobra.Command, args []string) error {
if commonOpts.UserPlatform != platform.OpenShift {
return fmt.Errorf("must explicitly select the OpenShift platform")
}
selinuxPolicy, err := selinuxassets.GetPolicy(commonOpts.UserPlatformVersion)
if err != nil {
return err
}
_, err = os.Stdout.Write(selinuxPolicy)
return err
},
Args: cobra.NoArgs,
}
return render
}

0 comments on commit 466fedb

Please sign in to comment.