Skip to content

Commit

Permalink
kubernetes: fix SELinux label for kubelet plugins
Browse files Browse the repository at this point in the history 
Silences the kernel warning during startup:
  "Context system_u:object_r:container_file_t:s0 is not valid"

Signed-off-by: Ben Cressey <bcressey@amazon.com>
  • Loading branch information
@bcressey
bcressey committed Apr 3, 2020
1 parent 076c3b5 commit 2e111e3
Show file tree
Hide file tree
Showing 6 changed files with 35 additions and 10 deletions.
6 changes: 3 additions & 3 deletions packages/kubernetes/0001-always-set-relevant-variables-for-cross-compiling.patch
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
From 77cc9ceb6296f634e2068d6ca6137978d767a5ac Mon Sep 17 00:00:00 2001
From 43460991812f41748d2ebbb846e3d956b40b26ae Mon Sep 17 00:00:00 2001
From: Ben Cressey <bcressey@amazon.com>
Date: Sat, 18 May 2019 16:57:12 +0000
Subject: [PATCH 1/3] always set relevant variables for cross compiling
Subject: [PATCH 1/4] always set relevant variables for cross compiling

Signed-off-by: Ben Cressey <bcressey@amazon.com>
---
hack/lib/golang.sh | 52 ++++++++++++++++++++++++++--------------------
1 file changed, 30 insertions(+), 22 deletions(-)

diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
index bc7c065e..a82880a5 100755
index e9c3b066..14c15994 100755
--- a/hack/lib/golang.sh
+++ b/hack/lib/golang.sh
@@ -394,29 +394,37 @@ kube::golang::set_platform_envs() {
Expand Down
6 changes: 3 additions & 3 deletions packages/kubernetes/0002-do-not-omit-debug-info.patch
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
From 89af88d823a01785947f49cfda7c9f9db541489a Mon Sep 17 00:00:00 2001
From 8a067b93f1d6dabf4fe0c0c9c94dbad6f078e10b Mon Sep 17 00:00:00 2001
From: Ben Cressey <bcressey@amazon.com>
Date: Fri, 20 Sep 2019 00:33:47 +0000
Subject: [PATCH 2/3] do not omit debug info
Subject: [PATCH 2/4] do not omit debug info

Signed-off-by: Ben Cressey <bcressey@amazon.com>
---
hack/lib/golang.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
index a82880a5..5454e73f 100755
index 14c15994..1547bad5 100755
--- a/hack/lib/golang.sh
+++ b/hack/lib/golang.sh
@@ -790,7 +790,7 @@ kube::golang::build_binaries() {
Expand Down
6 changes: 3 additions & 3 deletions packages/kubernetes/0003-enable-PIE-for-platform-binaries.patch
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
From ae0a4d1175b2231aa47ada51cdfa90249a04ceee Mon Sep 17 00:00:00 2001
From 33cb415ae50c5fb48d37842247261b466093d1ae Mon Sep 17 00:00:00 2001
From: Ben Cressey <bcressey@amazon.com>
Date: Tue, 5 Nov 2019 14:23:38 +0000
Subject: [PATCH 3/3] enable PIE for platform binaries
Subject: [PATCH 3/4] enable PIE for platform binaries

Signed-off-by: Ben Cressey <bcressey@amazon.com>
---
hack/lib/golang.sh | 1 +
1 file changed, 1 insertion(+)

diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
index 5454e73f..a146fc28 100755
index 1547bad5..f07418a0 100755
--- a/hack/lib/golang.sh
+++ b/hack/lib/golang.sh
@@ -715,6 +715,7 @@ kube::golang::build_binaries_for_platform() {
Expand Down
24 changes: 24 additions & 0 deletions packages/kubernetes/0004-override-SELinux-label-for-kubelet-plugins.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
From 03c21553cbd554761302f49f4e3e5c1d78a209cc Mon Sep 17 00:00:00 2001
From: Ben Cressey <bcressey@amazon.com>
Date: Tue, 17 Mar 2020 20:14:31 +0000
Subject: [PATCH 4/4] override SELinux label for kubelet plugins

Signed-off-by: Ben Cressey <bcressey@amazon.com>
---
pkg/kubelet/config/defaults.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/kubelet/config/defaults.go b/pkg/kubelet/config/defaults.go
index 6c1e4ebf..1bce6b86 100644
--- a/pkg/kubelet/config/defaults.go
+++ b/pkg/kubelet/config/defaults.go
@@ -26,5 +26,5 @@ const (
DefaultKubeletContainersDirName = "containers"
DefaultKubeletPluginContainersDirName = "plugin-containers"
DefaultKubeletPodResourcesDirName = "pod-resources"
- KubeletPluginsDirSELinuxLabel = "system_u:object_r:container_file_t:s0"
+ KubeletPluginsDirSELinuxLabel = "system_u:object_r:local_t:s0"
)
--
2.21.0

0 ...4-opt-out-of-module-mode-for-builds.patch → ...5-opt-out-of-module-mode-for-builds.patch
View file
File renamed without changes.
3 changes: 2 additions & 1 deletion packages/kubernetes/kubernetes.spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,11 @@ Source1000: clarify.toml
Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
Patch2: 0002-do-not-omit-debug-info.patch
Patch3: 0003-enable-PIE-for-platform-binaries.patch
Patch4: 0004-override-SELinux-label-for-kubelet-plugins.patch

# Fix builds in $GOPATH when using Go 1.13 - drop when we catch up in v1.17.0
# /~https://github.com/kubernetes/kubernetes/commit/8618c09
Patch4: 0004-opt-out-of-module-mode-for-builds.patch
Patch5: 0005-opt-out-of-module-mode-for-builds.patch

BuildRequires: git
BuildRequires: rsync
Expand Down

0 comments on commit 2e111e3

Please sign in to comment.