Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use superpowered label for the API agent #40

Merged
merged 1 commit into from
Aug 20, 2020
Merged

use superpowered label for the API agent #40

merged 1 commit into from
Aug 20, 2020

Conversation

bcressey
Copy link
Contributor

Issue number:
N/A

Description of changes:
After bottlerocket-os/bottlerocket#1056 makes its way into a release, Bottlerocket will require containers to opt-in to API access by using either the control_t or super_t labels.

Since control_t is not defined in the SELinux policy on older versions of Bottlerocket, set super_t instead until that release is widely available.

Testing done:
Installed the operator on my cluster and verified that the agent had the expected label.

$ ps Z $(pgrep -f bottlerocket-update-operator)
LABEL                               PID TTY      STAT   TIME COMMAND
system_u:system_r:super_t:s0     544512 ?        Ssl    0:00 /bottlerocket-update-operator -agent -debug -nodeName ...

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@bcressey
use superpowered label for the API agent
9787cfe 
Bottlerocket now requires containers to opt-in to API access by using
either the `control_t` or `super_t` labels.

Since `control_t` is not available on older versions of Bottlerocket,
set `super_t` instead until the new version is widely available.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@jahkeup
Copy link
Member

jahkeup commented Aug 20, 2020

@bcressey did the agent pod show API calls successfully made to the API socket with this change in place?

@bcressey
Copy link
Contributor Author

@bcressey did the agent pod show API calls successfully made to the API socket with this change in place?

It did!

time="2020-08-20T22:58:15Z" level=debug msg="update API request" component=update-api method=POST path=/actions/refresh-updates
time="2020-08-20T22:58:15Z" level=debug msg="update API request" component=update-api method=GET path=/updates/status

jahkeup
jahkeup approved these changes Aug 20, 2020
View reviewed changes
Copy link
Member

@jahkeup jahkeup left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit: 🚀 🎸

@bcressey bcressey merged commit 87b633b into bottlerocket-os:develop Aug 20, 2020
@bcressey bcressey deleted the superpowered branch August 20, 2020 23:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samuelkarp samuelkarp samuelkarp approved these changes

@jahkeup jahkeup jahkeup approved these changes

@etungsten etungsten etungsten approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@bcressey @jahkeup @samuelkarp @etungsten