-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't install Kubernetes >=1.22 with RKE due to missing SELinux custom policies #598
Comments
Hi @tsde, Thanks for your report. SELinux has three modes:
Flatcar should default to
I'll have a look to see if you could easily integrate EDIT: I managed to compile locally From Flatcar docs:
Then:
I just updated the
Then when we try to add the policy:
I suspect it's because #479 is missing. 😉 |
Hi @tormath1 Thanks for your quick reply and for digging into this Current mode of SE Linux is indeed set to If I'm not wrong, according to RKE code, SE linux detection is done using the |
@tsde thanks for your answer.
Then it makes sense,
In that case, you might be interested to use the following
|
Thanks for the suggestion, I'll give it a try. |
@tsde last time I checked, integrating Let me know if the drop-in solution is enough by the meantime and let's keep this issue opened to track this feature. I'll have a look to merge rancher policies to the Gentoo upstream too. |
@tormath1 Thank you for your concern. Hope it'll move forward smoothly. Integrating these policies would be really nice. In the meantime, I was able to upgrade Kubernetes to 1.22 following your recommendations. Setting And thanks for the good work on the Flatcar project |
Any progress so far? |
Any updates? |
Any updates? |
hi @bitfisher, we are still working on providing a fully labelled Flatcar OS. Some news have been shared during the office hours of July (#797). Once done, we should be able to look into the rke2-selinux policy. I just have a big concern regarding the compatibility between refpolicy and the rke2-selinux policy (as stated in this issue: rancher/rke2-selinux#25). |
I'm blocked in production to upgrade my kubernetes cluster to >1.22 :( |
Any movement on this? |
Description
Using RKE, installing (or upgrading) Kubernetes >= 1.22 fails with the following error message
Starting with 1.22, RKE (and RKE2) chose to use custom SE Linux policies for their setup. These can be installed through dedicated RPMs: rancher-selinux for RKE and rke2-selinux for RKE2 but these can't be used as is with Flatcar.
I also opened an issue on RKE side to get their opinion on this : rancher/rke#2788
Impact
It's not possible to use RKE (or RKE2) with Flatcar Linux starting with Kubernetes 1.22.
Environment and steps to reproduce
Flatcar version :
I'm using RKE through terraform :
Run
terraform apply
to deploy (or upgrade) your cluster to 1.22Wait for the error
Error is triggered early in the process as it's a pre-check done by RKE before doing the actual installation
Expected behavior / Additional information
I am a complete newbie when it comes to SE Linux and I don't really know of a way to work around this. As mentioned in the RKE issue, I manually tried to import the SE module from the RPM in my Flatcar instance but failed because of
/usr
being read-only.I didn't find any documentation about adding custom SE Linux configuration on a Flatcar instance. It feels like it's not easily doable without maintaining a custom Flatcar image which seems overkill for this kind of small configuration tweak and I'd like to avoid it.
What would be the best way to tackle this ? As RKE (and RKE2) are popular tools for deploying Kubernetes, does it make sense to request for new packages based on their RPMs ?
Thanks
The text was updated successfully, but these errors were encountered: