Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

calico kubernetes, and selinux #2704

Closed
rcythr opened this issue Jul 4, 2019 · 4 comments · Fixed by #2738
Closed

calico kubernetes, and selinux #2704

rcythr opened this issue Jul 4, 2019 · 4 comments · Fixed by #2738
Labels
kind/enhancement

Comments

@rcythr
Copy link
Contributor

rcythr commented Jul 4, 2019
edited
Loading

Expected Behavior

Calico should work with selinux in enforcing mode. It's not reasonable to disable selinux for the whole system due to a single component.

Current Behavior

Calico does not work with selinux in enforcing mode.

Possible Solution

I noticed that calico-node runs with

securityContext:
    privileged: true

However, the init containers do not, and the install process breaks with permission denied errors due to selinux. I added the same security context to all the init containers, and the install works fine now.

Steps to Reproduce (for bugs)

  1. Use CentOS 7, with selinux in enforcing mode.
  2. Use kubeadm to setup a simple multi-node cluster. ( I had to take steps to get selinux working with kubeadm. I am working to get those fixes made to kubeadm kubeadm and selinux kubernetes/kubeadm#1654 ).
  3. Follow instructions on https://docs.projectcalico.org/v3.8/getting-started/kubernetes/

Context

My organization mandates the use of selinux on all hosts. Any component which requires that selinux be disabled is simply not allowed to be used. In order to use calico, I needed to get it working with selinux.

Your Environment

  • Calico version: 3.8
  • Orchestrator version (e.g. kubernetes, mesos, rkt): kubernetes
  • Operating System and version: CentOS 7.6
@rcythr
Copy link
Contributor Author

rcythr commented Jul 4, 2019

Here is the diff I made to https://docs.projectcalico.org/v3.8/manifests/calico.yaml which fixes the problem for me:

529a530,531
>           securityContext:
>             privileged: true
563a566,567
>           securityContext:
>             privileged: true
572a577,578
>           securityContext:
>             privileged: true

@rcythr rcythr mentioned this issue Jul 4, 2019
Closed
@fasaxc
Copy link
Member

fasaxc commented Jul 8, 2019
edited
Loading

@rcythr Thanks for sleuthing that out, would you mind putting up a PR with the fix? The file that you'd need to change is here: https://github.com/projectcalico/calico/blob/master/_includes/master/charts/calico/templates/calico-node.yaml#L48 (and the similar files in _include/<version>/...

Going through the PR process makes sure that all contributions are properly attributed.

@rcythr
Copy link
Contributor Author

rcythr commented Jul 8, 2019

Sure, I'll get one submitted this weekend and refer to this issue.

@rcythr
Copy link
Contributor Author

rcythr commented Jul 21, 2019

Sorry for the wait, getting a dev environment (for running the tests) took a little longer than I expected and I kicked the can down the road to this weekend. I'm trying to get that PR created today.

@rcythr rcythr mentioned this issue Jul 21, 2019
Merged
3 tasks
@carloscarnero carloscarnero mentioned this issue Oct 11, 2019
Closed
@superseb superseb mentioned this issue Jan 3, 2020
Closed
@chenguoquan chenguoquan mentioned this issue Jun 18, 2020
Closed
This was referenced Jul 1, 2020
Closed
Closed
Closed
Closed
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Made init containers privileged in order to prevent issues on selinux systems
3 participants
@fasaxc @rcythr @caseydavenport