github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add fapolicyd to k3s 

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
pull/9533/head
galal-hussein 2024-02-20 23:11:44 +02:00
parent 1c1746114c
commit ad6fc72dc4
1 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
install.sh
View File

@ -94,6 +94,10 @@ set -o noglob
# - INSTALL_K3S_CHANNEL # - INSTALL_K3S_CHANNEL
# Channel to use for fetching k3s download URL. # Channel to use for fetching k3s download URL.
# Defaults to 'stable'. # Defaults to 'stable'.
#
# - INSTALL_K3S_SKIP_FAPOLICY
# If set, the install script will skip adding fapolicy rules
# Default is not set.
GITHUB_URL=https://github.com/k3s-io/k3s/releases GITHUB_URL=https://github.com/k3s-io/k3s/releases
GITHUB_PR_URL="" GITHUB_PR_URL=""
@ -911,6 +915,13 @@ elif type zypper >/dev/null 2>&1; then
\$uninstall_cmd \$uninstall_cmd
rm -f /etc/zypp/repos.d/rancher-k3s-common*.repo rm -f /etc/zypp/repos.d/rancher-k3s-common*.repo
fi fi
if type fapolicyd >/dev/null 2>&1; then
if [ -f /etc/fapolicyd/rules.d/80-k3s.rules ]; then
rm -f /etc/fapolicyd/rules.d/80-k3s.rules
fi
fagenrules --load
systemctl restart fapolicyd
fi
EOF EOF
$SUDO chmod 755 ${UNINSTALL_K3S_SH} $SUDO chmod 755 ${UNINSTALL_K3S_SH}
$SUDO chown root:root ${UNINSTALL_K3S_SH} $SUDO chown root:root ${UNINSTALL_K3S_SH}
@ -1100,6 +1111,40 @@ service_enable_and_start() {
return 0 return 0
} }
# verify_fapolicyd verifies existence of
# fapolicyd executable.
verify_fapolicyd() {
cmd="$(command -v "fapolicyd")"
if [ -z "${cmd}" ]; then
return 1
fi
return 0
}
setup_fapolicy_rules() {
if [ -r /etc/redhat-release ] || [ -r /etc/centos-release ] || [ -r /etc/oracle-release ] || [ -r /etc/rocky-release ]; then
verify_fapolicyd || return
# setting k3s fapolicyd rules
cat <<-EOF >>"/etc/fapolicyd/rules.d/80-k3s.rules"
allow perm=any all : dir=/var/lib/rancher/
allow perm=any all : dir=/opt/cni/
allow perm=any all : dir=/run/k3s/
allow perm=any all : dir=/var/lib/kubelet/
EOF
if [ -z "${INSTALL_K3S_SKIP_START}" ]; then
fagenrules --load || fatal "failed to load k3s fapolicyd rules"
systemctl restart fapolicyd
fi
fi
}
install_fapolicy() {
if [ -z "${INSTALL_K3S_SKIP_FAPOLICY}" ]; then
setup_fapolicy_rules
fi
}
# --- re-evaluate args to include env command --- # --- re-evaluate args to include env command ---
eval set -- $(escape "${INSTALL_K3S_EXEC}") $(quote "$@") eval set -- $(escape "${INSTALL_K3S_EXEC}") $(quote "$@")
@ -1115,6 +1160,7 @@ eval set -- $(escape "${INSTALL_K3S_EXEC}") $(quote "$@")
systemd_disable systemd_disable
create_env_file create_env_file
create_service_file create_service_file
install_fapolicy
service_enable_and_start service_enable_and_start
} }