github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add fapolicyd to k3s 

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
pull/9533/head
galal-hussein 9 months ago
parent
1c1746114c
commit
ad6fc72dc4
1 changed files with 46 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 46
      install.sh

46
install.sh
Unescape View File

@ -94,6 +94,10 @@ set -o noglob
# - INSTALL_K3S_CHANNEL
# Channel to use for fetching k3s download URL.
# Defaults to 'stable'.
#
# - INSTALL_K3S_SKIP_FAPOLICY
# If set, the install script will skip adding fapolicy rules
# Default is not set.
GITHUB_URL=https://github.com/k3s-io/k3s/releases
GITHUB_PR_URL=""
@ -911,6 +915,13 @@ elif type zypper >/dev/null 2>&1; then
\$uninstall_cmd
rm -f /etc/zypp/repos.d/rancher-k3s-common*.repo
fi
if type fapolicyd >/dev/null 2>&1; then
if [ -f /etc/fapolicyd/rules.d/80-k3s.rules ]; then
rm -f /etc/fapolicyd/rules.d/80-k3s.rules
fi
fagenrules --load
systemctl restart fapolicyd
fi
EOF
$SUDO chmod 755 ${UNINSTALL_K3S_SH}
$SUDO chown root:root ${UNINSTALL_K3S_SH}
@ -1100,6 +1111,40 @@ service_enable_and_start() {
return 0
}
# verify_fapolicyd verifies existence of
# fapolicyd executable.
verify_fapolicyd() {
cmd="$(command -v "fapolicyd")"
if [ -z "${cmd}" ]; then
return 1
fi
return 0
}
setup_fapolicy_rules() {
if [ -r /etc/redhat-release ] || [ -r /etc/centos-release ] || [ -r /etc/oracle-release ] || [ -r /etc/rocky-release ]; then
verify_fapolicyd || return
# setting k3s fapolicyd rules
cat <<-EOF >>"/etc/fapolicyd/rules.d/80-k3s.rules"
allow perm=any all : dir=/var/lib/rancher/
allow perm=any all : dir=/opt/cni/
allow perm=any all : dir=/run/k3s/
allow perm=any all : dir=/var/lib/kubelet/
EOF
if [ -z "${INSTALL_K3S_SKIP_START}" ]; then
fagenrules --load || fatal "failed to load k3s fapolicyd rules"
systemctl restart fapolicyd
fi
fi
}
install_fapolicy() {
if [ -z "${INSTALL_K3S_SKIP_FAPOLICY}" ]; then
setup_fapolicy_rules
fi
}
# --- re-evaluate args to include env command ---
eval set -- $(escape "${INSTALL_K3S_EXEC}") $(quote "$@")
@ -1115,6 +1160,7 @@ eval set -- $(escape "${INSTALL_K3S_EXEC}") $(quote "$@")
systemd_disable
create_env_file
create_service_file
install_fapolicy
service_enable_and_start
}

Write Preview
Loading…
Cancel
Save