mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-05-13 19:05:21 +00:00
Move the f15be37d9bef58a0128bcba006f8abb3ea13e8da version of scripts required for openshift-ci from "kata-containers/tests/.ci/openshift-ci" into "kata-containers/kata-containers/ci/openshift-ci" and required webhook+libs into "kata-containers/kata-containers/tools/testing" as is to simplify verification, the different location handling will be added in following commit. Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
40 lines
1.3 KiB
YAML
40 lines
1.3 KiB
YAML
apiVersion: apps/v1
|
|
kind: DaemonSet
|
|
metadata:
|
|
name: relabel-selinux-daemonset
|
|
namespace: kube-system
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: restorecon
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: restorecon
|
|
spec:
|
|
serviceAccountName: kata-deploy-sa
|
|
hostPID: true
|
|
containers:
|
|
- name: relabel-selinux-container
|
|
image: alpine
|
|
securityContext:
|
|
privileged: true
|
|
command: ["/bin/sh", "-c", "
|
|
set -e;
|
|
echo Starting the relabel;
|
|
nsenter --target 1 --mount bash -xc '
|
|
for ENTRY in \
|
|
\"/(.*/)?opt/kata/bin(/.*)?\" \
|
|
\"/(.*/)?opt/kata/runtime-rs/bin(/.*)?\" \
|
|
\"/(.*/)?opt/kata/share/kata-.*(/.*)?(/.*)?\" \
|
|
\"/(.*/)?opt/kata/share/ovmf(/.*)?\" \
|
|
\"/(.*/)?opt/kata/share/tdvf(/.*)?\" \
|
|
\"/(.*/)?opt/kata/libexec(/.*)?\";
|
|
do
|
|
semanage fcontext -a -t qemu_exec_t \"$ENTRY\" || { echo \"Error in semanage command\"; exit 1; }
|
|
done;
|
|
restorecon -v -R /opt/kata || { echo \"Error in restorecon command\"; exit 1; }
|
|
';
|
|
echo NSENTER_FINISHED_WITH: $?;
|
|
sleep infinity"]
|