[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] Kubeadm vs. SELinux

From: Daniel J Walsh <dwalsh redhat com>
To: Josh Berkus <jberkus redhat com>, atomic-devel <atomic-devel projectatomic io>
Subject: Re: [atomic-devel] Kubeadm vs. SELinux
Date: Tue, 22 Nov 2016 17:38:20 -0500


On 11/22/2016 05:15 PM, Josh Berkus wrote:
> Currently, it is not possible to run Kubeadm with SELinux enabled.
>
> This is bad; it means that Kubernetes' official installation
> instructions include `setenforce 0`.  But it's hard to argue the point
> when a kubeadm install -- soon to be the main install option for
> Kubernetes, and the only one which currently works on Atomic -- simply
> doesn't work with SELinux enabled.
>
> The current blocker is that kubeadm init will hang forever at this stage:
>
> <master/apiclient> created API client, waiting for the control plane to
> become ready
>
>
> The errors shown in the journal are here:
>
> https://gist.github.com/jberkus/4e926c76fbf772ffee4eb774cb0a4c60
>
> That's on Fedora 25 Atomic.  I've had the exact same experience on
> CentOS 7 and RHEL 7, although the error messages are not identical.
>
> Seems like this is on us to fix, if we want people to keep SELinux
> enforcing. I don;t know if we need to push patches to Kubeadm, or to
> SELinux, or both.
>

What AVC's are you seeing?  Where is the bugzilla for this?

ausearch -m avc -ts recent

Follow-Ups:
- Re: [atomic-devel] Kubeadm vs. SELinux
  - From: Jason Brooks
- Re: [atomic-devel] Kubeadm vs. SELinux
  - From: Clayton Coleman

References:
- [atomic-devel] Kubeadm vs. SELinux
  - From: Josh Berkus

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]