From e37a34c99a287c5c61ba483b2f5b792b2139ba33 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 14 Sep 2020 20:49:33 -0700 Subject: [PATCH 1/5] Document change to K3s SELinux option --- content/k3s/latest/en/advanced/_index.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/content/k3s/latest/en/advanced/_index.md b/content/k3s/latest/en/advanced/_index.md index 3be2eaa91c..7ee1c8cd5e 100644 --- a/content/k3s/latest/en/advanced/_index.md +++ b/content/k3s/latest/en/advanced/_index.md @@ -314,6 +314,19 @@ rpm -i https://rpm.rancher.io/k3s-selinux-0.1.1-rc1.el7.noarch.rpm To force the install script to log a warning rather than fail, you can set the following environment variable: `INSTALL_K3S_SELINUX_WARN=true`. +The way that SELinux enforcement is enabled or disabled depends on the K3s version. + +{{% tabs %}} +{{% tab "K3s v1.19.1+k3s1" %}} + +To leverage experimental SELinux, specify the `--selinux` flag when starting K3s servers and agents. + +{{%/tab%}} +{{% tab "K3s prior to v1.19.1+k3s1" %}} + You can turn off SELinux enforcement in the embedded containerd by launching K3s with the `--disable-selinux` flag. +{{%/tab%}} +{{% /tabs %}} + Note that support for SELinux in containerd is still under development. Progress can be tracked in [this pull request](https://github.com/containerd/cri/pull/1246). From 30ee90e9006f263de0ae01620c82ac1a0ff631ce Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 15 Sep 2020 14:10:35 -0700 Subject: [PATCH 2/5] Say how to enable SELinux with K3s config file --- content/k3s/latest/en/advanced/_index.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/content/k3s/latest/en/advanced/_index.md b/content/k3s/latest/en/advanced/_index.md index 7ee1c8cd5e..536d872a8e 100644 --- a/content/k3s/latest/en/advanced/_index.md +++ b/content/k3s/latest/en/advanced/_index.md @@ -321,6 +321,11 @@ The way that SELinux enforcement is enabled or disabled depends on the K3s versi To leverage experimental SELinux, specify the `--selinux` flag when starting K3s servers and agents. +This option can also be specified in the K3s [configuration file:]({{}}/k3s/latest/en/installation/install-options/#configuration-file) + +``` +selinux: true +``` {{%/tab%}} {{% tab "K3s prior to v1.19.1+k3s1" %}} From a7a0d5047120f47798eb5ad6a850e89315a93a42 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 16 Sep 2020 11:09:28 -0700 Subject: [PATCH 3/5] Say that K3s will fail to start if both new and deprecated SELinux flags are used Co-authored-by: Jacob Blain Christen --- content/k3s/latest/en/advanced/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/k3s/latest/en/advanced/_index.md b/content/k3s/latest/en/advanced/_index.md index 536d872a8e..0ca39732d8 100644 --- a/content/k3s/latest/en/advanced/_index.md +++ b/content/k3s/latest/en/advanced/_index.md @@ -314,7 +314,7 @@ rpm -i https://rpm.rancher.io/k3s-selinux-0.1.1-rc1.el7.noarch.rpm To force the install script to log a warning rather than fail, you can set the following environment variable: `INSTALL_K3S_SELINUX_WARN=true`. -The way that SELinux enforcement is enabled or disabled depends on the K3s version. +The way that SELinux enforcement is enabled or disabled depends on the K3s version. Prior to v1.19.x, SELinux enablement for the builtin containerd was automatic but could be disabled by passing `--disable-selinux`. With v1.19.x and beyond enabling SELinux must be affirmatively configured via the `--selinux` flag or config file entry. Servers and agents that specify both the `--selinux` and (deprecated) `--disable-selinux` flags will fail to start. {{% tabs %}} {{% tab "K3s v1.19.1+k3s1" %}} From 74c65c53ec6c8d7f4236d745877fabdfbc7bbeb8 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 16 Sep 2020 11:18:18 -0700 Subject: [PATCH 4/5] Warn against using --disable-selinux in K3s v1.19.1+k3s1 --- content/k3s/latest/en/advanced/_index.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/content/k3s/latest/en/advanced/_index.md b/content/k3s/latest/en/advanced/_index.md index 0ca39732d8..5c29c5e5c6 100644 --- a/content/k3s/latest/en/advanced/_index.md +++ b/content/k3s/latest/en/advanced/_index.md @@ -314,7 +314,7 @@ rpm -i https://rpm.rancher.io/k3s-selinux-0.1.1-rc1.el7.noarch.rpm To force the install script to log a warning rather than fail, you can set the following environment variable: `INSTALL_K3S_SELINUX_WARN=true`. -The way that SELinux enforcement is enabled or disabled depends on the K3s version. Prior to v1.19.x, SELinux enablement for the builtin containerd was automatic but could be disabled by passing `--disable-selinux`. With v1.19.x and beyond enabling SELinux must be affirmatively configured via the `--selinux` flag or config file entry. Servers and agents that specify both the `--selinux` and (deprecated) `--disable-selinux` flags will fail to start. +The way that SELinux enforcement is enabled or disabled depends on the K3s version. Prior to v1.19.x, SELinux enablement for the builtin containerd was automatic but could be disabled by passing `--disable-selinux`. With v1.19.x and beyond, enabling SELinux must be affirmatively configured via the `--selinux` flag or config file entry. Servers and agents that specify both the `--selinux` and (deprecated) `--disable-selinux` flags will fail to start. {{% tabs %}} {{% tab "K3s v1.19.1+k3s1" %}} @@ -326,6 +326,9 @@ This option can also be specified in the K3s [configuration file:]({{}} ``` selinux: true ``` + +The `--disable-selinux` option should not be used. It is deprecated and will be either ignored or will be unrecognized, resulting in an error, in future minor releases. + {{%/tab%}} {{% tab "K3s prior to v1.19.1+k3s1" %}} From a8706f8828c5fd27fb67c3080e575dcd338ec2af Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 16 Sep 2020 11:30:25 -0700 Subject: [PATCH 5/5] Warn against using a custom --data-dir for K3s with SELinux --- content/k3s/latest/en/advanced/_index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/k3s/latest/en/advanced/_index.md b/content/k3s/latest/en/advanced/_index.md index 5c29c5e5c6..8d39be5ea4 100644 --- a/content/k3s/latest/en/advanced/_index.md +++ b/content/k3s/latest/en/advanced/_index.md @@ -316,6 +316,8 @@ To force the install script to log a warning rather than fail, you can set the f The way that SELinux enforcement is enabled or disabled depends on the K3s version. Prior to v1.19.x, SELinux enablement for the builtin containerd was automatic but could be disabled by passing `--disable-selinux`. With v1.19.x and beyond, enabling SELinux must be affirmatively configured via the `--selinux` flag or config file entry. Servers and agents that specify both the `--selinux` and (deprecated) `--disable-selinux` flags will fail to start. +Using a custom `--data-dir` under SELinux is not supported. To customize it, you would most likely need to write your own custom policy. For guidance, you could refer to the [containers/container-selinux](https://github.com/containers/container-selinux) repository, which contains the SELinux policy files for Container Runtimes, and the [rancher/k3s-selinux](https://github.com/rancher/k3s-selinux) repository, which contains the SELinux policy for K3s . + {{% tabs %}} {{% tab "K3s v1.19.1+k3s1" %}}