From 644aef100b695302a7382e0bbea19c238f4be729 Mon Sep 17 00:00:00 2001 From: Euan Kemp Date: Thu, 20 Jul 2017 13:36:06 -0700 Subject: [PATCH] kubeadm: don't customize etcd selinux label The original change that added the unconfined label included a comment indicating it won't be needed in the future. See: https://github.com/kubernetes/kubernetes/pull/33555#issuecomment-251126908 That time is now. https://github.com/kubernetes/kubernetes/pull/33663 has landed and means we no longer have to go out of our way to make that work. Removing the label also increases security since there wasn't really a good reason for etcd to be run with such broad selinux privileges. This also will allow kubeadm to avoid errors on distros without an spc_t type, such as Gentoo and Container Linux (at the time of writing at least). Fixes https://github.com/kubernetes/kubeadm/issues/269 --- cmd/kubeadm/app/phases/controlplane/manifests.go | 7 ------- 1 file changed, 7 deletions(-) diff --git a/cmd/kubeadm/app/phases/controlplane/manifests.go b/cmd/kubeadm/app/phases/controlplane/manifests.go index e807257386b..8a799b96bd6 100644 --- a/cmd/kubeadm/app/phases/controlplane/manifests.go +++ b/cmd/kubeadm/app/phases/controlplane/manifests.go @@ -119,13 +119,6 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error { LivenessProbe: componentProbe(2379, "/health", v1.URISchemeHTTP), }, certsVolume(cfg), etcdVolume(cfg), k8sVolume()) - etcdPod.Spec.SecurityContext = &v1.PodSecurityContext{ - SELinuxOptions: &v1.SELinuxOptions{ - // Unconfine the etcd container so it can write to the data dir with SELinux enforcing: - Type: "spc_t", - }, - } - staticPodSpecs[etcd] = etcdPod }