Merge pull request #37327 from jasonbrooks/pr-kubeadm-selinux

Automatic merge from submit-queue change unconfined_t to spc_t **What this PR does / why we need it**: When installing kube via kubeadm on a system w/ selinux enabled, it's necessary to disable selinux in order for the etcd and kube-discovery containers to run. The kube etcd and discovery pods are currently set to unconfined_t in order to avoid disabling selinux, but the correct type for an unconfined container is spc_t. For more information, see http://danwalsh.livejournal.com/2016/10/03/.
2025-07-26 21:17:23 +00:00 · 2016-12-02 01:00:42 -08:00 · 2016-12-02 01:00:42 -08:00 · 9a67c20b3d
commit 9a67c20b3d
parent c4e891690f bf153fc1d3
2 changed files with 2 additions and 2 deletions
--- a/cmd/kubeadm/app/master/discovery.go
+++ b/cmd/kubeadm/app/master/discovery.go
@ -90,7 +90,7 @@ func newKubeDiscoveryPodSpec(cfg *kubeadmapi.MasterConfiguration) v1.PodSpec {
 					// SELinux. This is not optimal and would be nice to adjust in future
 					// so it can read /tmp/secret, but for now this avoids recommending
 					// setenforce 0 system-wide.
-					Type: "unconfined_t",
+					Type: "spc_t",
 				},
 			},
 		}},
--- a/cmd/kubeadm/app/master/manifests.go
+++ b/cmd/kubeadm/app/master/manifests.go
@ -101,7 +101,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
 					// SELinux. This is not optimal and would be nice to adjust in future
 					// so it can create and write /var/lib/etcd, but for now this avoids
 					// recommending setenforce 0 system-wide.
-					Type: "unconfined_t",
+					Type: "spc_t",
 				},
 			},
 		}, certsVolume(cfg), etcdVolume(cfg), k8sVolume(cfg))