[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[atomic-devel] Kubeadm vs. SELinux

From: Josh Berkus <jberkus redhat com>
To: atomic-devel <atomic-devel projectatomic io>
Subject: [atomic-devel] Kubeadm vs. SELinux
Date: Tue, 22 Nov 2016 14:15:58 -0800

Currently, it is not possible to run Kubeadm with SELinux enabled.

This is bad; it means that Kubernetes' official installation
instructions include `setenforce 0`.  But it's hard to argue the point
when a kubeadm install -- soon to be the main install option for
Kubernetes, and the only one which currently works on Atomic -- simply
doesn't work with SELinux enabled.

The current blocker is that kubeadm init will hang forever at this stage:

<master/apiclient> created API client, waiting for the control plane to
become ready


The errors shown in the journal are here:

https://gist.github.com/jberkus/4e926c76fbf772ffee4eb774cb0a4c60

That's on Fedora 25 Atomic.  I've had the exact same experience on
CentOS 7 and RHEL 7, although the error messages are not identical.

Seems like this is on us to fix, if we want people to keep SELinux
enforcing. I don;t know if we need to push patches to Kubeadm, or to
SELinux, or both.

-- 
--
Josh Berkus
Project Atomic
Red Hat OSAS

Follow-Ups:
- Re: [atomic-devel] Kubeadm vs. SELinux
  - From: Daniel J Walsh

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]