[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[atomic-devel] Kubeadm vs. SELinux

Currently, it is not possible to run Kubeadm with SELinux enabled.

This is bad; it means that Kubernetes' official installation
instructions include `setenforce 0`.  But it's hard to argue the point
when a kubeadm install -- soon to be the main install option for
Kubernetes, and the only one which currently works on Atomic -- simply
doesn't work with SELinux enabled.

The current blocker is that kubeadm init will hang forever at this stage:

<master/apiclient> created API client, waiting for the control plane to
become ready

The errors shown in the journal are here:


That's on Fedora 25 Atomic.  I've had the exact same experience on
CentOS 7 and RHEL 7, although the error messages are not identical.

Seems like this is on us to fix, if we want people to keep SELinux
enforcing. I don;t know if we need to push patches to Kubeadm, or to
SELinux, or both.

Josh Berkus
Project Atomic
Red Hat OSAS

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]