Document change to K3s SELinux option #2686
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -314,6 +314,29 @@ rpm -i https://rpm.rancher.io/k3s-selinux-0.1.1-rc1.el7.noarch.rpm | |
|
|
||
| To force the install script to log a warning rather than fail, you can set the following environment variable: `INSTALL_K3S_SELINUX_WARN=true`. | ||
|
|
||
| The way that SELinux enforcement is enabled or disabled depends on the K3s version. Prior to v1.19.x, SELinux enablement for the builtin containerd was automatic but could be disabled by passing `--disable-selinux`. With v1.19.x and beyond, enabling SELinux must be affirmatively configured via the `--selinux` flag or config file entry. Servers and agents that specify both the `--selinux` and (deprecated) `--disable-selinux` flags will fail to start. | ||
|
|
||
| Using a custom `--data-dir` under SELinux is not supported. To customize it, you would most likely need to write your own custom policy. For guidance, you could refer to the [containers/container-selinux](https://github.com/containers/container-selinux) repository, which contains the SELinux policy files for Container Runtimes, and the [rancher/k3s-selinux](https://github.com/rancher/k3s-selinux) repository, which contains the SELinux policy for K3s . | ||
|
|
||
| {{% tabs %}} | ||
| {{% tab "K3s v1.19.1+k3s1" %}} | ||
|
|
||
| To leverage experimental SELinux, specify the `--selinux` flag when starting K3s servers and agents. | ||
|
|
||
| This option can also be specified in the K3s [configuration file:]({{<baseurl>}}/k3s/latest/en/installation/install-options/#configuration-file) | ||
|
|
||
| ``` | ||
| selinux: true | ||
| ``` | ||
|
|
||
| The `--disable-selinux` option should not be used. It is deprecated and will be either ignored or will be unrecognized, resulting in an error, in future minor releases. | ||
|
|
||
| {{%/tab%}} | ||
| {{% tab "K3s prior to v1.19.1+k3s1" %}} | ||
|
|
||
|
There was a problem hiding this comment. As suggested, https://github.com/rancher/docs/pull/2686/files#r489578963, mentioning the There was a problem hiding this comment. Added the info to the K3s v1.19+ tab:
|
||
| You can turn off SELinux enforcement in the embedded containerd by launching K3s with the `--disable-selinux` flag. | ||
|
There was a problem hiding this comment. We do not have --disable-selinux flag instead use --selinux=false or skip selinux flag which does not enable selinux There was a problem hiding this comment. This tab is saying that the There was a problem hiding this comment. Sounds good @catherineluse Thanks |
||
|
|
||
| {{%/tab%}} | ||
| {{% /tabs %}} | ||
|
|
||
| Note that support for SELinux in containerd is still under development. Progress can be tracked in [this pull request](https://github.com/containerd/cri/pull/1246). | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we explicitly say, not passing the flag would have selinux in disabled mode
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm. In my opinion this is probably fine as it is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll leave this sentence as is because @dweomer clarified it in his suggestion as well