From bf153fc1d38f8ba227094532e99ed0d022d4e334 Mon Sep 17 00:00:00 2001
From: Jason Brooks <jbrooks@redhat.com>
Date: Tue, 22 Nov 2016 16:25:31 -0800
Subject: [PATCH] change unconfined_t to spc_t

The kube etcd and discovery pods are set to unconfined_t in
order to avoid disabling selinux, but the correct type for
an unconfined container is spc_t. For more information, see
http://danwalsh.livejournal.com/2016/10/03/.
---
 cmd/kubeadm/app/master/discovery.go | 2 +-
 cmd/kubeadm/app/master/manifests.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cmd/kubeadm/app/master/discovery.go b/cmd/kubeadm/app/master/discovery.go
index 2c2c5b88eef..2229502043e 100644
--- a/cmd/kubeadm/app/master/discovery.go
+++ b/cmd/kubeadm/app/master/discovery.go
@@ -88,7 +88,7 @@ func newKubeDiscoveryPodSpec(cfg *kubeadmapi.MasterConfiguration) api.PodSpec {
 					// SELinux. This is not optimal and would be nice to adjust in future
 					// so it can read /tmp/secret, but for now this avoids recommending
 					// setenforce 0 system-wide.
-					Type: "unconfined_t",
+					Type: "spc_t",
 				},
 			},
 		}},
diff --git a/cmd/kubeadm/app/master/manifests.go b/cmd/kubeadm/app/master/manifests.go
index c79e2813d7e..62aafd77088 100644
--- a/cmd/kubeadm/app/master/manifests.go
+++ b/cmd/kubeadm/app/master/manifests.go
@@ -101,7 +101,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
 					// SELinux. This is not optimal and would be nice to adjust in future
 					// so it can create and write /var/lib/etcd, but for now this avoids
 					// recommending setenforce 0 system-wide.
-					Type: "unconfined_t",
+					Type: "spc_t",
 				},
 			},
 		}, certsVolume(cfg), etcdVolume(cfg), k8sVolume(cfg))