Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

You shouldn't disable SELinux #14457

Closed
rmetzler opened this issue May 22, 2019 · 14 comments
Closed

You shouldn't disable SELinux #14457

rmetzler opened this issue May 22, 2019 · 14 comments
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. language/en Issues or PRs related to English language priority/backlog Higher priority than priority/awaiting-more-evidence. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle.

Comments

@rmetzler
Copy link

This is a Feature Request

What would you like to be added

current state

The docs tell the admin to disable SELinux / set it into permissive mode.

E.g this example from the kubeadm installation.

# Set SELinux in permissive mode (effectively disabling it)
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

what I would like to see

I'm not an SELinux Expert, but I recognized the OpenShift Installer just enables the container_manage_cgroup and that's it.

https://github.com/openshift/openshift-ansible/blob/f80916276cbe932c8155c2ac084b68dc7225cb44/roles/openshift_node/tasks/config.yml#L18-L22

Why is this needed

I think that's a much better approach to security than the current state.

@sftim
Copy link
Contributor

sftim commented May 23, 2019

Looks like the bit that needs fixing is https://kubernetes.io/docs/setup/independent/install-kubeadm/#installing-kubeadm-kubelet-and-kubectl - the tab for “CentOS, RHEL, or Fedora”

Currently there's an aside:

Setting SELinux in permissive mode by running setenforce 0 and sed ... effectively disables it. This is required to allow containers to access the host filesystem, which is needed by pod networks for example. You have to do this until SELinux support is improved in the kubelet.

Maybe that's true. I haven't yet looked for an issue against kubelet that would track that.

@neolit123
Copy link
Member

@rmetzler
a PR with a better solution is welcome but until then this is the only reliable solution that we know of.
original PR (has linked bug reports):
#10150

file that has to be changed:
https://github.com/kubernetes/website/blob/master/content/en/docs/setup/independent/install-kubeadm.md

/sig cluster-lifecycle
/help

cc @rosti

@k8s-ci-robot
Copy link
Contributor

@neolit123:
This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

@rmetzler
a PR with a better solution is welcome but until then this is the only reliable solution that we know of.
original PR (has linked bug reports):
#10150

file that has to be changed:
https://github.com/kubernetes/website/blob/master/content/en/docs/setup/independent/install-kubeadm.md

/sig cluster-lifecycle
/help

cc @rosti

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels May 25, 2019
@sftim
Copy link
Contributor

sftim commented May 26, 2019

/language en

@k8s-ci-robot k8s-ci-robot added the language/en Issues or PRs related to English language label May 26, 2019
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 24, 2019
@zulrang
Copy link

zulrang commented Sep 16, 2019

This presents a big problem for STIG compliance.

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 16, 2019
@sftim
Copy link
Contributor

sftim commented Sep 26, 2019

/priority backlog

@k8s-ci-robot k8s-ci-robot added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Sep 26, 2019
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 25, 2019
@VanagaS
Copy link

VanagaS commented Jan 2, 2020

Needed for hardening server profiles.

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 2, 2020
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 1, 2020
@jfcgaspar
Copy link
Contributor

Anyone tried running kubernetes by enabling seboolean container_manage_cgroup yet with good results ?
What's preventing the documentation from being updated to just enable this selinux boolean rather than disabling selinux alltogether ?

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 22, 2020
@neolit123
Copy link
Member

neolit123 commented Apr 22, 2020

@jfcgaspar i don't think container_manage_cgroup is sufficient.
see kubernetes/kubeadm#279

security contexts on Linux are a mess and i don't think we have the capacity to handle all that in the kubeadm docs.

instead of saying:

Set SELinux in permissive mode (effectively disabling it)

we can add a note for users that know what they are doing to not disable it but to be aware that it might require a set of changes that kubeadm does not provide support for.

PRs for such a clarification are welcome.

@neolit123
Copy link
Member

given this note here merged https://github.com/kubernetes/website/pull/20503/files

You can leave SELinux enabled if you know how to configure it but it may require settings that are not supported by kubeadm.

i'm going to go ahead and close this ticket.

thanks
/close

@k8s-ci-robot
Copy link
Contributor

@neolit123: Closing this issue.

In response to this:

given this note here merged https://github.com/kubernetes/website/pull/20503/files

You can leave SELinux enabled if you know how to configure it but it may require settings that are not supported by kubeadm.

i'm going to go ahead and close this ticket.

thanks
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. language/en Issues or PRs related to English language priority/backlog Higher priority than priority/awaiting-more-evidence. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle.
Projects
None yet
Development

No branches or pull requests

8 participants