Add fapolicyd to k3s

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2024-02-20 23:11:44 +02:00 · 2024-02-20 23:11:44 +02:00 · ad6fc72dc4
parent 1c1746114c
commit ad6fc72dc4
1 changed files with 46 additions and 0 deletions
--- a/install.sh
+++ b/install.sh
@ -94,6 +94,10 @@ set -o noglob
 #   - INSTALL_K3S_CHANNEL
 #     Channel to use for fetching k3s download URL.
 #     Defaults to 'stable'.
+#
+#   - INSTALL_K3S_SKIP_FAPOLICY
+#     If set, the install script will skip adding fapolicy rules
+#     Default is not set.

 GITHUB_URL=https://github.com/k3s-io/k3s/releases
 GITHUB_PR_URL=""
@ -911,6 +915,13 @@ elif type zypper >/dev/null 2>&1; then
    \$uninstall_cmd
    rm -f /etc/zypp/repos.d/rancher-k3s-common*.repo
 fi
+if type fapolicyd >/dev/null 2>&1; then
+        if [ -f /etc/fapolicyd/rules.d/80-k3s.rules ]; then
+            rm -f /etc/fapolicyd/rules.d/80-k3s.rules
+        fi
+        fagenrules --load
+        systemctl restart fapolicyd
+fi
 EOF
    $SUDO chmod 755 ${UNINSTALL_K3S_SH}
    $SUDO chown root:root ${UNINSTALL_K3S_SH}
@ -1100,6 +1111,40 @@ service_enable_and_start() {
    return 0
 }

+# verify_fapolicyd verifies existence of
+# fapolicyd executable.
+verify_fapolicyd() {
+    cmd="$(command -v "fapolicyd")"
+    if [ -z "${cmd}" ]; then
+        return 1
+    fi
+
+    return 0
+}
+
+setup_fapolicy_rules() {
+    if [ -r /etc/redhat-release ] || [ -r /etc/centos-release ] || [ -r /etc/oracle-release ] || [ -r /etc/rocky-release ]; then
+        verify_fapolicyd || return
+        # setting k3s fapolicyd rules
+        cat <<-EOF >>"/etc/fapolicyd/rules.d/80-k3s.rules"
+allow perm=any all : dir=/var/lib/rancher/
+allow perm=any all : dir=/opt/cni/
+allow perm=any all : dir=/run/k3s/
+allow perm=any all : dir=/var/lib/kubelet/
+EOF
+        if [ -z "${INSTALL_K3S_SKIP_START}" ]; then
+            fagenrules --load || fatal "failed to load k3s fapolicyd rules"
+            systemctl restart fapolicyd
+        fi
+    fi
+}
+
+install_fapolicy() {
+    if [ -z "${INSTALL_K3S_SKIP_FAPOLICY}" ]; then
+        setup_fapolicy_rules
+    fi
+}
+
 # --- re-evaluate args to include env command ---
 eval set -- $(escape "${INSTALL_K3S_EXEC}") $(quote "$@")

@ -1115,6 +1160,7 @@ eval set -- $(escape "${INSTALL_K3S_EXEC}") $(quote "$@")
    systemd_disable
    create_env_file
    create_service_file
+    install_fapolicy
    service_enable_and_start
 }