From 832d83efaa2dbb8afe17141a7392b0b9ec7aa300 Mon Sep 17 00:00:00 2001
From: Devan Goodwin <dgoodwin@redhat.com>
Date: Wed, 21 Sep 2016 12:35:22 -0300
Subject: [PATCH] Allow etcd container to work with selinux.

---
 cmd/kubeadm/app/master/manifests.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/cmd/kubeadm/app/master/manifests.go b/cmd/kubeadm/app/master/manifests.go
index 247b8281a06..ed90430c057 100644
--- a/cmd/kubeadm/app/master/manifests.go
+++ b/cmd/kubeadm/app/master/manifests.go
@@ -96,6 +96,15 @@ func WriteStaticPodManifests(s *kubeadmapi.KubeadmConfig) error {
 			Image:         images.GetCoreImage(images.KubeEtcdImage, s.EnvParams["etcd_image"]),
 			LivenessProbe: componentProbe(2379, "/health"),
 			Resources:     componentResources("200m"),
+			SecurityContext: &api.SecurityContext{
+				SELinuxOptions: &api.SELinuxOptions{
+					// TODO: This implies our etcd container is not being restricted by
+					// SELinux. This is not optimal and would be nice to adjust in future
+					// so it can create and write /var/lib/etcd, but for now this avoids
+					// recommending setenforce 0 system-wide.
+					Type: "unconfined_t",
+				},
+			},
 		}, certsVolume(s), etcdVolume(s), k8sVolume(s))
 	}