-
Notifications
You must be signed in to change notification settings - Fork 14.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
You shouldn't disable SELinux #14457
Comments
Looks like the bit that needs fixing is https://kubernetes.io/docs/setup/independent/install-kubeadm/#installing-kubeadm-kubelet-and-kubectl - the tab for “CentOS, RHEL, or Fedora” Currently there's an aside:
Maybe that's true. I haven't yet looked for an issue against kubelet that would track that. |
@rmetzler file that has to be changed: /sig cluster-lifecycle cc @rosti |
@neolit123: Please ensure the request meets the requirements listed here. If this request no longer meets these requirements, the label can be removed In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/language en |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
This presents a big problem for STIG compliance. /remove-lifecycle stale |
/priority backlog |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Needed for hardening server profiles. /remove-lifecycle stale |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Anyone tried running kubernetes by enabling seboolean container_manage_cgroup yet with good results ? /remove-lifecycle stale |
@jfcgaspar i don't think security contexts on Linux are a mess and i don't think we have the capacity to handle all that in the kubeadm docs. instead of saying:
we can add a note for users that know what they are doing to not disable it but to be aware that it might require a set of changes that kubeadm does not provide support for. PRs for such a clarification are welcome. |
given this note here merged https://github.com/kubernetes/website/pull/20503/files
i'm going to go ahead and close this ticket. thanks |
@neolit123: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This is a Feature Request
What would you like to be added
current state
The docs tell the admin to disable SELinux / set it into permissive mode.
E.g this example from the kubeadm installation.
what I would like to see
I'm not an SELinux Expert, but I recognized the OpenShift Installer just enables the
container_manage_cgroup
and that's it.https://github.com/openshift/openshift-ansible/blob/f80916276cbe932c8155c2ac084b68dc7225cb44/roles/openshift_node/tasks/config.yml#L18-L22
Why is this needed
I think that's a much better approach to security than the current state.
The text was updated successfully, but these errors were encountered: