change unconfined_t to spc_t

The kube etcd and discovery pods are set to unconfined_t in order to avoid disabling selinux, but the correct type for an unconfined container is spc_t. For more information, see http://danwalsh.livejournal.com/2016/10/03/.
2016-11-22 16:25:31 -08:00 · 2016-11-22 16:25:31 -08:00 · bf153fc1d3
parent d49f0dbf07
commit bf153fc1d3
2 changed files with 2 additions and 2 deletions
--- a/cmd/kubeadm/app/master/discovery.go
+++ b/cmd/kubeadm/app/master/discovery.go
@ -88,7 +88,7 @@ func newKubeDiscoveryPodSpec(cfg *kubeadmapi.MasterConfiguration) api.PodSpec {
 					// SELinux. This is not optimal and would be nice to adjust in future
 					// so it can read /tmp/secret, but for now this avoids recommending
 					// setenforce 0 system-wide.
-					Type: "unconfined_t",
+					Type: "spc_t",
 				},
 			},
 		}},
--- a/cmd/kubeadm/app/master/manifests.go
+++ b/cmd/kubeadm/app/master/manifests.go
@ -101,7 +101,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
 					// SELinux. This is not optimal and would be nice to adjust in future
 					// so it can create and write /var/lib/etcd, but for now this avoids
 					// recommending setenforce 0 system-wide.
-					Type: "unconfined_t",
+					Type: "spc_t",
 				},
 			},
 		}, certsVolume(cfg), etcdVolume(cfg), k8sVolume(cfg))