Skip to content

Commit

Permalink
selinux: use container_device_plugin_t context by default
Browse files Browse the repository at this point in the history
The `container_device_plugin_t` label type, allows communication with
`kubelet_t` context: containers/container-selinux#178.

The PodResourceAPI socket is an object created by Kubelet so it inherents
the same process context, i.e. `kubelet_t`.

We gradually want to depracate the custom SELinux context
and use this one instead.

Signed-off-by: Talor Itzhak <[email protected]>
  • Loading branch information
Tal-or committed Aug 22, 2024
1 parent 879f775 commit bf82907
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 7 deletions.
3 changes: 2 additions & 1 deletion pkg/assets/selinux/consts.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@ package selinux

const (
RTEPolicyFileName = "/etc/selinux/rte.cil"
RTEContextType = "rte.process"
RTEContextType = "container_device_plugin_t"
RTEContextObsoleteType = "rte.process"
RTEContextLevel = "s0"
RTEPolicyInstallServiceName = "rte-selinux-policy-install.service"
)
5 changes: 4 additions & 1 deletion pkg/manifests/manifests.go
Original file line number Diff line number Diff line change
Expand Up @@ -436,7 +436,7 @@ func getTemplateContent(templateContent []byte, templateArgs map[string]string)
return fileContent.Bytes(), nil
}

func SecurityContextConstraint(component string) (*securityv1.SecurityContextConstraints, error) {
func SecurityContextConstraint(component string, withCustomSELinuxPolicy bool) (*securityv1.SecurityContextConstraints, error) {
if component != ComponentResourceTopologyExporter {
return nil, fmt.Errorf("component %q is not an %q component", component, ComponentResourceTopologyExporter)
}
Expand All @@ -458,6 +458,9 @@ func SecurityContextConstraint(component string) (*securityv1.SecurityContextCon
Level: selinuxassets.RTEContextLevel,
},
}
if withCustomSELinuxPolicy {
scc.SELinuxContext.SELinuxOptions.Type = selinuxassets.RTEContextObsoleteType
}

return scc, nil
}
Expand Down
9 changes: 6 additions & 3 deletions pkg/manifests/rte/rte.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
package rte

import (
selinuxassets "github.com/k8stopologyawareschedwg/deployer/pkg/assets/selinux"
securityv1 "github.com/openshift/api/security/v1"
machineconfigv1 "github.com/openshift/machine-config-operator/pkg/apis/machineconfiguration.openshift.io/v1"
appsv1 "k8s.io/api/apps/v1"
Expand Down Expand Up @@ -111,16 +112,18 @@ func (mf Manifests) Render(opts options.UpdaterDaemon) (Manifests, error) {
rteupdate.DaemonSet(ret.DaemonSet, mf.plat, rteConfigMapName, opts.DaemonSet)

if mf.plat == platform.OpenShift {
rteupdate.SecurityContext(ret.DaemonSet)

selinuxType := selinuxassets.RTEContextType
if mf.MachineConfig != nil {
if opts.Name != "" {
ret.MachineConfig.Name = ocpupdate.MakeMachineConfigName(opts.Name)
}
if opts.MachineConfigPoolSelector != nil {
ret.MachineConfig.Labels = opts.MachineConfigPoolSelector.MatchLabels
}
// the MachineConfig installs this custom policy which is obsolete starting from OCP 4.18v
selinuxType = selinuxassets.RTEContextObsoleteType
}
rteupdate.SecurityContext(ret.DaemonSet, selinuxType)
ocpupdate.SecurityContextConstraint(ret.SecurityContextConstraint, ret.ServiceAccount)
}

Expand Down Expand Up @@ -190,7 +193,7 @@ func GetManifests(plat platform.Platform, version platform.Version, namespace st
}
}

mf.SecurityContextConstraint, err = manifests.SecurityContextConstraint(manifests.ComponentResourceTopologyExporter)
mf.SecurityContextConstraint, err = manifests.SecurityContextConstraint(manifests.ComponentResourceTopologyExporter, withCustomSELinuxPolicy)
if err != nil {
return mf, err
}
Expand Down
4 changes: 2 additions & 2 deletions pkg/objectupdate/rte/rte.go
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,7 @@ func MetricsPort(ds *appsv1.DaemonSet, pNum int) {
cntSpec.Ports = cp
}

func SecurityContext(ds *appsv1.DaemonSet) {
func SecurityContext(ds *appsv1.DaemonSet, selinuxContextType string) {
cntSpec := objectupdate.FindContainerByName(ds.Spec.Template.Spec.Containers, manifests.ContainerNameRTE)
if cntSpec == nil {
return
Expand All @@ -186,7 +186,7 @@ func SecurityContext(ds *appsv1.DaemonSet) {
cntSpec.SecurityContext = &corev1.SecurityContext{}
}
cntSpec.SecurityContext.SELinuxOptions = &corev1.SELinuxOptions{
Type: selinuxassets.RTEContextType,
Type: selinuxContextType,
Level: selinuxassets.RTEContextLevel,
}
}
Expand Down

0 comments on commit bf82907

Please sign in to comment.