diff --git a/pkg/agent/config/config.go b/pkg/agent/config/config.go index 8a19c0969b..52aa894cbc 100644 --- a/pkg/agent/config/config.go +++ b/pkg/agent/config/config.go @@ -397,6 +397,7 @@ func get(envInfo *cmds.Agent) (*config.Node, error) { nodeConfig := &config.Node{ Docker: envInfo.Docker, + DisableSELinux: envInfo.DisableSELinux, ContainerRuntimeEndpoint: envInfo.ContainerRuntimeEndpoint, FlannelBackend: controlConfig.FlannelBackend, } @@ -474,6 +475,7 @@ func get(envInfo *cmds.Agent) (*config.Node, error) { nodeConfig.AgentConfig.DisableCCM = controlConfig.DisableCCM nodeConfig.AgentConfig.DisableNPC = controlConfig.DisableNPC nodeConfig.AgentConfig.Rootless = envInfo.Rootless + nodeConfig.DisableSELinux = envInfo.DisableSELinux return nodeConfig, nil } diff --git a/pkg/agent/containerd/containerd.go b/pkg/agent/containerd/containerd.go index 9db9851e51..63bb31cbcf 100644 --- a/pkg/agent/containerd/containerd.go +++ b/pkg/agent/containerd/containerd.go @@ -168,11 +168,21 @@ func setupContainerdConfig(ctx context.Context, cfg *config.Node) error { PrivateRegistryConfig: privRegistries, } - selinux, err := selinuxEnabled() + selEnabled, selConfigured, err := selinuxStatus() if err != nil { return errors.Wrap(err, "failed to detect selinux") } - containerdConfig.SELinuxEnabled = selinux + if cfg.DisableSELinux { + containerdConfig.SELinuxEnabled = false + if selEnabled { + logrus.Warn("SELinux is enabled for system but has been disabled for containerd by override") + } + } else { + containerdConfig.SELinuxEnabled = selEnabled + } + if containerdConfig.SELinuxEnabled && !selConfigured { + logrus.Warnf("SELinux is enabled for k3s but process is not running in context '%s', k3s-selinux policy may need to be applied", SELinuxContextType) + } containerdTemplateBytes, err := ioutil.ReadFile(cfg.Containerd.Template) if err == nil { diff --git a/pkg/agent/containerd/selinux.go b/pkg/agent/containerd/selinux.go index 2ad2eeb9a8..1f870f6f11 100644 --- a/pkg/agent/containerd/selinux.go +++ b/pkg/agent/containerd/selinux.go @@ -8,20 +8,20 @@ const ( SELinuxContextType = "container_runtime_t" ) -func selinuxEnabled() (bool, error) { +func selinuxStatus() (bool, bool, error) { if !selinux.GetEnabled() { - return false, nil + return false, false, nil } label, err := selinux.CurrentLabel() if err != nil { - return false, err + return true, false, err } ctx, err := selinux.NewContext(label) if err != nil { - return false, err + return true, false, err } - return ctx["type"] == SELinuxContextType, nil + return true, ctx["type"] == SELinuxContextType, nil } diff --git a/pkg/cli/cmds/agent.go b/pkg/cli/cmds/agent.go index 838143b574..3a3dbdb642 100644 --- a/pkg/cli/cmds/agent.go +++ b/pkg/cli/cmds/agent.go @@ -28,6 +28,7 @@ type Agent struct { Rootless bool RootlessAlreadyUnshared bool WithNodeID bool + DisableSELinux bool AgentShared ExtraKubeletArgs cli.StringSlice ExtraKubeProxyArgs cli.StringSlice @@ -127,6 +128,12 @@ var ( Usage: "(agent/node) Registering and starting kubelet with set of labels", Value: &AgentConfig.Labels, } + DisableSELinuxFlag = cli.BoolFlag{ + Name: "disable-selinux", + Usage: "(agent/node) Disable SELinux in containerd if currently enabled", + Hidden: true, + Destination: &AgentConfig.DisableSELinux, + } ) func NewAgentCommand(action func(ctx *cli.Context) error) cli.Command { @@ -169,6 +176,7 @@ func NewAgentCommand(action func(ctx *cli.Context) error) cli.Command { NodeLabels, NodeTaints, DockerFlag, + DisableSELinuxFlag, CRIEndpointFlag, PauseImageFlag, PrivateRegistryFlag, diff --git a/pkg/cli/cmds/server.go b/pkg/cli/cmds/server.go index fd083cc908..2cda615cfb 100644 --- a/pkg/cli/cmds/server.go +++ b/pkg/cli/cmds/server.go @@ -216,6 +216,7 @@ func NewServerCommand(action func(*cli.Context) error) cli.Command { NodeLabels, NodeTaints, DockerFlag, + DisableSELinuxFlag, CRIEndpointFlag, PauseImageFlag, PrivateRegistryFlag, diff --git a/pkg/daemons/config/types.go b/pkg/daemons/config/types.go index d846d88e78..696b5acc19 100644 --- a/pkg/daemons/config/types.go +++ b/pkg/daemons/config/types.go @@ -25,6 +25,7 @@ type Node struct { Docker bool ContainerRuntimeEndpoint string NoFlannel bool + DisableSELinux bool FlannelBackend string FlannelConf string FlannelConfOverride bool