selinuxpolicy: updates to enable support for OCP 4.11+/K8s 1.24+

In container-selinux versions v2.186.0, v2.187.0 and v2.188.0, due to the updates here: containers/container-selinux@cf704e4 selinuxpolicy updates are required (updating `container_runtime_t` to `kubelet_t`). This is consumed in OCP 4.11 and K8s 1.24 and we need to make sure that the selinuxpolicy is appropriately updated. In addition to that, we need to continue supporting the older selinuxpolicy supplied in older versions (e.g. 4.10) and that is the reason this patch is proposing an additional selinuxpolicy and not completely replacing the original one. Signed-off-by: Swati Sehgal <[email protected]>
k8stopologyawareschedwg · Jul 13, 2022 · 55fb124 · 55fb124
1 parent eb5c3f2
commit 55fb124
Show file tree

Hide file tree

Showing 6 changed files with 87 additions and 24 deletions.
diff --git a/pkg/assets/rte/assets.go b/pkg/assets/rte/assets.go
@@ -2,16 +2,29 @@ package rte
 
 import (
 	_ "embed"
+
+	"github.com/k8stopologyawareschedwg/deployer/pkg/deployer/platform"
 )
 
 //go:embed selinuxinstall.service.template
 var SELinuxInstallSystemdServiceTemplate []byte
 
-//go:embed selinuxpolicy.cil
-var SELinuxPolicy []byte
+//go:embed selinuxpolicy-ocp410.cil
+var SELinuxPolicyOCP410 []byte
+
+//go:embed selinuxpolicy-ocp411.cil
+var SELinuxPolicyOCP411 []byte
 
 //go:embed hookconfigrtenotifier.json.template
 var HookConfigRTENotifier []byte
 
 //go:embed rte-notifier.sh
 var NotifierScript []byte
+
+func GetSELinuxPolicy(ver platform.Version) []byte {
+	// error should never happen: we control the input here
+	if ok, _ := ver.AtLeastString("4.11"); ok {
+		return SELinuxPolicyOCP411
+	}
+	return SELinuxPolicyOCP410
+}
diff --git a/pkg/assets/rte/selinuxpolicy.cil → pkg/assets/rte/selinuxpolicy-ocp410.cil b/pkg/assets/rte/selinuxpolicy.cil → pkg/assets/rte/selinuxpolicy-ocp410.cil
diff --git a/pkg/assets/rte/selinuxpolicy-ocp411.cil b/pkg/assets/rte/selinuxpolicy-ocp411.cil
@@ -0,0 +1,21 @@
+(block rte
+	(type process)
+	(roletype system_r process)
+	(typeattributeset domain (process))
+	;
+	; Giving rte.process the same attributes as container_t
+	(typeattributeset container_domain (process))
+	(typeattributeset container_net_domain (process))
+	(typeattributeset svirt_sandbox_domain (process))
+	(typeattributeset sandbox_net_domain (process))
+
+	;
+	; Allow to RTE pod access to /run/rte directory
+	(allow process container_var_run_t (dir (add_name write)))
+	(allow process container_var_run_t (file (create read write open)))
+
+	;
+	; Allow to RTE pod connect, read and write permissions to /var/lib/kubelet/pod-resource/kubelet.sock
+	(allow process container_var_lib_t (sock_file (open getattr read write ioctl lock append)))
+	(allow process kubelet_t (unix_stream_socket (connectto)))
+)
diff --git a/pkg/manifests/manifests.go b/pkg/manifests/manifests.go
@@ -429,7 +429,7 @@ func DaemonSet(component, subComponent string, plat platform.Platform, namespace
 	return ds, nil
 }
 
-func MachineConfig(component string) (*machineconfigv1.MachineConfig, error) {
+func MachineConfig(component string, ver platform.Version) (*machineconfigv1.MachineConfig, error) {
 	if component != ComponentResourceTopologyExporter {
 		return nil, fmt.Errorf("component %q is not an %q component", component, ComponentResourceTopologyExporter)
 	}
@@ -444,7 +444,7 @@ func MachineConfig(component string) (*machineconfigv1.MachineConfig, error) {
 		return nil, fmt.Errorf("unexpected type, got %t", obj)
 	}
 
-	ignitionConfig, err := getIgnitionConfig()
+	ignitionConfig, err := getIgnitionConfig(ver)
 	if err != nil {
 		return nil, err
 	}
@@ -453,11 +453,10 @@ func MachineConfig(component string) (*machineconfigv1.MachineConfig, error) {
 	return mc, nil
 }
 
-func getIgnitionConfig() ([]byte, error) {
+func getIgnitionConfig(ver platform.Version) ([]byte, error) {
 	var files []igntypes.File
 
-	// load SELinux policy
-	files = addFileToIgnitionConfig(files, rteassets.SELinuxPolicy, 0644, seLinuxRTEPolicyDst)
+	files = addFileToIgnitionConfig(files, rteassets.GetSELinuxPolicy(ver), 0644, seLinuxRTEPolicyDst)
 
 	// load RTE notifier OCI hook config
 	notifierHookConfigContent, err := getTemplateContent(rteassets.HookConfigRTENotifier, map[string]string{

diff --git a/pkg/manifests/manifests_test.go b/pkg/manifests/manifests_test.go
@@ -558,29 +558,59 @@ func TestDaemonSet(t *testing.T) {
 }
 
 func TestMachineConfig(t *testing.T) {
-	mc, err := MachineConfig(ComponentResourceTopologyExporter)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
 
-	ignitionConfig := &igntypes.Config{}
-	if err := json.Unmarshal(mc.Spec.Config.Raw, ignitionConfig); err != nil {
-		t.Fatalf("failed to unmarshal ignition config: %v", err)
+	type testCase struct {
+		name            string
+		platformVersion platform.Version
+		expectedFileNum int
+		expectedUnitNum int
 	}
-
+	// In both these cases:
 	// we are expecting to have 3 files
 	// 1. OCI hook configuration
 	// 2. OCI hook script
 	// 3. SELinux policy
-	if len(ignitionConfig.Storage.Files) != 3 {
-		klog.Errorf("ignition config files: %+v", ignitionConfig.Storage.Files)
-		t.Fatalf("the ignition config has %d files when it should have %d", len(ignitionConfig.Storage.Files), 3)
-	}
 
-	// we are expecting only one systemd unit
+	// One systemd unit
 	// 1. Systemd unit to install the SELinux policy
-	if len(ignitionConfig.Systemd.Units) != 1 {
-		klog.Errorf("ignition config systemd units: %+v", ignitionConfig.Systemd.Units)
-		t.Fatalf("the ignition config has %d systemd units when it should have %d", len(ignitionConfig.Systemd.Units), 1)
+
+	// TODO: Check SELinuxPolicy in the various cases
+	testCases := []testCase{
+		{
+			name:            "OCP 4.10",
+			platformVersion: "4.10",
+			expectedFileNum: 3,
+			expectedUnitNum: 1,
+		},
+		{
+			name:            "OCP 4.11",
+			platformVersion: "4.11",
+			expectedFileNum: 3,
+			expectedUnitNum: 1,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			mc, err := MachineConfig(ComponentResourceTopologyExporter, platform.Version(tc.platformVersion))
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+
+			ignitionConfig := &igntypes.Config{}
+			if err := json.Unmarshal(mc.Spec.Config.Raw, ignitionConfig); err != nil {
+				t.Fatalf("failed to unmarshal ignition config: %v", err)
+			}
+
+			if len(ignitionConfig.Storage.Files) != tc.expectedFileNum {
+				klog.Errorf("ignition config files: %+v", ignitionConfig.Storage.Files)
+				t.Fatalf("the ignition config has %d files when it should have %d", len(ignitionConfig.Storage.Files), tc.expectedFileNum)
+			}
+
+			if len(ignitionConfig.Systemd.Units) != tc.expectedUnitNum {
+				klog.Errorf("ignition config systemd units: %+v", ignitionConfig.Systemd.Units)
+				t.Fatalf("the ignition config has %d systemd units when it should have %d", len(ignitionConfig.Systemd.Units), tc.expectedUnitNum)
+			}
+		})
 	}
 }
diff --git a/pkg/manifests/rte/rte.go b/pkg/manifests/rte/rte.go
@@ -250,7 +250,7 @@ func GetManifests(plat platform.Platform, namespace string) (Manifests, error) {
 	mf := New(plat)
 
 	if plat == platform.OpenShift {
-		mf.MachineConfig, err = manifests.MachineConfig(manifests.ComponentResourceTopologyExporter)
+		mf.MachineConfig, err = manifests.MachineConfig(manifests.ComponentResourceTopologyExporter, platform.Version(plat))
 		if err != nil {
 			return mf, err
 		}