github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-02 08:17:26 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #33555 from rustyrobot/fix-selinux-rules-discovery

Browse Source 
Automatic merge from submit-queue

Kubeadm: fix SELinux rules for kubernetes discovery service

**What this PR does / why we need it**:
Fixes problems with SELinux on CentOS for discovery container which cannot read data from `/tmp/secret` directory.

**Which issue this PR fixes**
Fixed #33541
This commit is contained in:
Kubernetes Submit Queue 2016-09-27 10:06:48 -07:00 committed by GitHub
commit 80be079c9f
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cmd/kubeadm/app/master/discovery.go
View File

@ -81,6 +81,15 @@ func newKubeDiscoveryPodSpec(s *kubeadmapi.KubeadmConfig) api.PodSpec {
// `HostIP: s.API.AdvertiseAddrs[0]`, if there is only one address` // `HostIP: s.API.AdvertiseAddrs[0]`, if there is only one address`
{Name: "http", ContainerPort: 9898, HostPort: 9898}, {Name: "http", ContainerPort: 9898, HostPort: 9898},
}, },
SecurityContext: &api.SecurityContext{
SELinuxOptions: &api.SELinuxOptions{
// TODO: This implies our discovery container is not being restricted by
// SELinux. This is not optimal and would be nice to adjust in future
// so it can read /tmp/secret, but for now this avoids recommending
// setenforce 0 system-wide.
Type: "unconfined_t",
},
},
}}, }},
Volumes: []api.Volume{{ Volumes: []api.Volume{{
Name: kubeDiscoverySecretName, Name: kubeDiscoverySecretName,