miminar
commented
5 years ago Also some applications like SAP Data Hub need to turn on booleans like virt_use_nfs to enable its own NFS server on top of k8s/OCP.
Open runcom opened 5 years ago
miminar
commented
5 years ago Also some applications like SAP Data Hub need to turn on booleans like virt_use_nfs to enable its own NFS server on top of k8s/OCP.
runcom
commented
5 years ago diff --git a/pkg/apis/machineconfiguration.openshift.io/v1/types.go b/pkg/apis/machineconfiguration.openshift.io/v1/types.go
index 1cc2482e..b7f2ae8b 100644
--- a/pkg/apis/machineconfiguration.openshift.io/v1/types.go
+++ b/pkg/apis/machineconfiguration.openshift.io/v1/types.go
@@ -231,6 +231,14 @@ type MachineConfigSpec struct {
Config igntypes.Config `json:"config"`
KernelArguments []string `json:"kernelArguments"`
+
+ Sebooleans []Sebool `json:"sebooleans"`
+}
+
+type Sebool struct {
+ Name string
+ Persistent bool
+ State bool
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.ObjectThe MCD will know how to set those (need to play with rhcos with these) using get|setsebool [-P]
cgwalters
commented
5 years ago Note this will also really require fixing https://github.com/ostreedev/ostree/issues/1026
runcom
commented
5 years ago Note this will also really require fixing ostreedev/ostree#1026
oh nice
(need to play with rhcos with these)
:D
ashcrow
commented
5 years ago Also some applications like SAP Data Hub need to turn on booleans like
virt_use_nfsto enable its own NFS server on top of k8s/OCP.
FWIW we turn this on today in RHCOS. Though I'm :+1: on having MCO be able to configure thins on the host.
cgwalters
commented
5 years ago Related to this, we should probably offer:
selinux: permissive|disabled (default enforcing)
And the MCD should watch for audit notifications of enforcement changes and reconcile (someone doing setenforce 0 would quickly get overruled).
tylerauerbeck
commented
5 years ago Has there been any movement on this?
cgwalters
commented
5 years ago If you want to do this today, the workaround is to ship a systemd unit that does ExecStart=/usr/sbin/setsebool and is Before=kubelet.service etc.
cgwalters
commented
5 years ago Also, if going the systemd route a recommendation is to not use -P so that dropping the unit from the MC will naturally revert the system. This will also avoid triggering https://github.com/ostreedev/ostree/issues/1026
openshift-bot
commented
4 years ago Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle stale
avisiedo
commented
4 years ago +1 We were investigating how to enable some sebool by using a MachineConfig, and the way we found was using a MachineConfig with a systemd unit; this feature would make sebool management easier and more intuitive.
JAORMX
commented
4 years ago We did a demo on exposing SELinux policies to kubernetes via an operator. While that won't be worked on this release, it could start making sense to bring in this functionality to that operator. With the work that's going on about letting the MCO do certain updates without requiring reboots, I'm thinking it would then be possible to just base the operator on top of MCO.
openshift-bot
commented
4 years ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle rotten /remove-lifecycle stale
travier
commented
4 years ago /lifecycle frozen
As for Kargs,FIPS and osImageURL, we would need a way to set selinux booleans through an MC (and maybe later on with a dedicated controller+CRD).
Acceptance criteria: