Merge pull request #40682 from dgoodwin/pod-security-context

Automatic merge from submit-queue (batch tested with PRs 38443, 40145, 40701, 40682) Move kubeadm etcd SELinux options from container to pod. **What this PR does / why we need it**: Works around a bug that surfaces in Docker 1.12+ related to the pause container's namespace and selinux labels being transferred to the etcd container when it runs. At present it appears that applying selinux options to a container may be broken, or perhaps shouldn't be supported at all. Moving these to the pod causes all containers (including pause) to run with the correct labels. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: Related to and partial fix for https://github.com/kubernetes/kubeadm/issues/107 This is one of several selinux related fixes in flight for upcoming releases, and newer versions of Docker. To successfully run kubeadm with selinux enforcing right now would like require a recent container-selinux build as uncovered in https://github.com/kubernetes/kubeadm/issues/107, a bugfix for the format labels in #40179, and finally this fix. **Release note**: ```release-note Fixed an SELinux issue in kubeadm on Docker 1.12+ by moving etcd SELinux options from container to pod. ```
2025-07-30 15:05:27 +00:00 · 2017-01-30 20:59:44 -08:00 · 2017-01-30 20:59:44 -08:00 · 1bc78add3e
commit 1bc78add3e
parent a185fa7b34 65a48b57ff
1 changed files with 10 additions and 10 deletions
--- a/cmd/kubeadm/app/master/manifests.go
+++ b/cmd/kubeadm/app/master/manifests.go
@ -110,7 +110,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {

 	// Add etcd static pod spec only if external etcd is not configured
 	if len(cfg.Etcd.Endpoints) == 0 {
-		staticPodSpecs[etcd] = componentPod(api.Container{
+		etcdPod := componentPod(api.Container{
 			Name: etcd,
 			Command: []string{
 				"etcd",
@ -122,16 +122,16 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
 			Image:         images.GetCoreImage(images.KubeEtcdImage, cfg, kubeadmapi.GlobalEnvParams.EtcdImage),
 			LivenessProbe: componentProbe(2379, "/health"),
 			Resources:     componentResources("200m"),
-			SecurityContext: &api.SecurityContext{
-				SELinuxOptions: &api.SELinuxOptions{
-					// TODO: This implies our etcd container is not being restricted by
-					// SELinux. This is not optimal and would be nice to adjust in future
-					// so it can create and write /var/lib/etcd, but for now this avoids
-					// recommending setenforce 0 system-wide.
-					Type: "spc_t",
-				},
-			},
 		}, certsVolume(cfg), etcdVolume(cfg), k8sVolume(cfg))
+
+		etcdPod.Spec.SecurityContext = &api.PodSecurityContext{
+			SELinuxOptions: &api.SELinuxOptions{
+				// Unconfine the etcd container so it can write to /var/lib/etcd with SELinux enforcing:
+				Type: "spc_t",
+			},
+		}
+
+		staticPodSpecs[etcd] = etcdPod
 	}

 	manifestsPath := path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, "manifests")