Fedora and RHEL use etc_t and the convention is <type_name>_t (kubern…

…etes-sigs#7891) * Fedora and RHEL use etc_t and the convention is <type_name>_t * Docs: specify all values for preinstall_selinux_state * CI: Add Fedora 34 with SELinux in enforcing mode
sakuraiyuta · Apr 16, 2022 · e4a4849 · e4a4849
1 parent 5e7528c
commit e4a4849
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 3 deletions.
diff --git a/.gitlab-ci/packet.yml b/.gitlab-ci/packet.yml
@@ -180,6 +180,13 @@ packet_fedora33-calico:
   variables:
     MITOGEN_ENABLE: "true"
 
+packet_fedora34-calico-selinux:
+  stage: deploy-part2
+  extends: .packet_periodic
+  when: on_success
+  variables:
+    MITOGEN_ENABLE: "true"
+
 packet_amazon-linux-2-aio:
   stage: deploy-part2
   extends: .packet_pr

diff --git a/docs/ci.md b/docs/ci.md
@@ -12,7 +12,7 @@ centos8 |  :white_check_mark: | :x: | :x: | :x: | :white_check_mark: | :x: | :x:
 debian10 |  :x: | :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian9 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: |
 fedora33 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
-fedora34 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :white_check_mark: |
+fedora34 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :white_check_mark: |
 opensuse |  :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 oracle7 |  :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu16 |  :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | :white_check_mark: |

diff --git a/docs/vars.md b/docs/vars.md
@@ -26,7 +26,7 @@ Some variables of note include:
 * *kube_version* - Specify a given Kubernetes version
 * *searchdomains* - Array of DNS domains to search when looking up hostnames
 * *nameservers* - Array of nameservers to use for DNS lookup
-* *preinstall_selinux_state* - Set selinux state, permitted values are permissive and disabled.
+* *preinstall_selinux_state* - Set selinux state, permitted values are permissive, enforcing and disabled.
 
 ## Addressing variables
 

diff --git a/roles/kubernetes/node/tasks/kubelet.yml b/roles/kubernetes/node/tasks/kubelet.yml
@@ -17,7 +17,7 @@
   template:
     src: "kubelet.env.{{ kubeletConfig_api_version }}.j2"
     dest: "{{ kube_config_dir }}/kubelet.env"
-    setype: "{{ (preinstall_selinux_state == 'enforcing') | ternary('t_etc', omit) }}"
+    setype: "{{ (preinstall_selinux_state != 'disabled') | ternary('etc_t', omit) }}"
     backup: yes
     mode: 0640
   notify: Node | restart kubelet

diff --git a/tests/files/packet_fedora34-calico-selinux.yml b/tests/files/packet_fedora34-calico-selinux.yml
@@ -0,0 +1,14 @@
+---
+# Instance settings
+cloud_image: fedora-34
+mode: default
+
+# Kubespray settings
+deploy_netchecker: true
+dns_min_replicas: 1
+kube_network_plugin: calico
+
+auto_renew_certificates: true
+
+# Test with SELinux in enforcing mode
+preinstall_selinux_state: enforcing