From 8f586d916e368744582a2a39b4026d513917c1f1 Mon Sep 17 00:00:00 2001
From: Evgeny L <eli@mirantis.com>
Date: Tue, 27 Sep 2016 13:24:29 +0000
Subject: [PATCH] Kubeadm: fix SELinux rules for kubernetes discovery service

---
 cmd/kubeadm/app/master/discovery.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/cmd/kubeadm/app/master/discovery.go b/cmd/kubeadm/app/master/discovery.go
index eb94f3e8c22..d65c4a51a6f 100644
--- a/cmd/kubeadm/app/master/discovery.go
+++ b/cmd/kubeadm/app/master/discovery.go
@@ -81,6 +81,15 @@ func newKubeDiscoveryPodSpec(s *kubeadmapi.KubeadmConfig) api.PodSpec {
 				// `HostIP: s.API.AdvertiseAddrs[0]`, if there is only one address`
 				{Name: "http", ContainerPort: 9898, HostPort: 9898},
 			},
+			SecurityContext: &api.SecurityContext{
+				SELinuxOptions: &api.SELinuxOptions{
+					// TODO: This implies our discovery container is not being restricted by
+					// SELinux. This is not optimal and would be nice to adjust in future
+					// so it can read /tmp/secret, but for now this avoids recommending
+					// setenforce 0 system-wide.
+					Type: "unconfined_t",
+				},
+			},
 		}},
 		Volumes: []api.Volume{{
 			Name: kubeDiscoverySecretName,