custom types for static pod containers

rancher / rke2-selinux

RKE2 selinux + RPM packaging for selinux

Apache License 2.0

21 stars 21 forks source link

custom types for static pod containers #6

Closed dweomer closed 4 years ago

dweomer commented 4 years ago

Establish new types suitable for running static pods:

rke2_service_t
rke2_service_db_t

Use rke2_service_t for all static pods that need read-only access to container_var_lib_t content under /var/lib/rancher/rke2/server/{cred,tls}.

Use rke2_service_db_t for the etcd static pod as it needs the same read access as rke2_service_t as well as read/write access to /var/lib/rancher/rke2/server/db.

dweomer commented 4 years ago

Conflicts with #5

dweomer commented 4 years ago

@Oats87, @cjellick and @erikwilson: thoughts on the naming? @ibuildthecloud and I agree that naming is hard.

For me, I can live with rke2_service_db_t but I wonder if rke2_datastore_t is more descriptive OR that maybe both are too specific.

dweomer commented 4 years ago

I like @ibuildthecloud's suggestion to have two levels of privilege for static pods (read-only, read/write under /var/lib/rancher/rke2 but I wonder if it is too granular as we should just give all static pods a bump to read/write capabilities.