Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCP: deprecate and make opt-in the selinux custom policy #312

Closed
ffromani opened this issue Aug 22, 2024 · 0 comments · Fixed by #311
Closed

OCP: deprecate and make opt-in the selinux custom policy #312

ffromani opened this issue Aug 22, 2024 · 0 comments · Fixed by #311
Milestone
v0.21.0

Comments

@ffromani
Copy link
Collaborator

on OCP, we need a custom selinux policy to grant RTE(/NFD) access to the podresources socket. Thanks to the latest fixes in the most recent container-selinux package, we can use now a different but very compatible selinux process context (container_device_plugin_t) which is very close to the permissions we need.

In addition, delivering a new custom selinux policy

  1. requires a reboot to worker nodes, which is undesirable
  2. requires cleanup on removal, which we don't, littering the worker nodes

so it's time to switch default and make the custom selinux policy available but opt-in.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.21.0
Development

Successfully merging a pull request may close this issue.

OCP: SELinux: make custom policy opt-in and off by default k8stopologyawareschedwg/deployer
1 participant
@ffromani