Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for SELinux #199

Closed
wants to merge 4 commits into from
Closed

Add support for SELinux #199

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
33bbc3c
Added tasks and updated templates to support selinux mode
tylergmuir Jul 26, 2022
bf4f4de
Fixed when checks for RedHat and different SELinux modes
tylergmuir Jul 26, 2022
35ea392
Check to see if firewalld exists before disabling
tylergmuir Jul 26, 2022
cd23a07
Fully qualify firewalld service check
tylergmuir Jul 26, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions inventory/sample/group_vars/all.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,6 @@ systemd_dir: /etc/systemd/system
master_ip: "{{ hostvars[groups['master'][0]]['ansible_host'] | default(groups['master'][0]) }}"
extra_server_args: ""
extra_agent_args: ""
selinux_mode: disabled
selinux_policy_version: v1.1.stable.1
selinux_rpm_version: "{{ selinux_policy_version[1:] | regex_replace('\\.[a-zA-Z]*\\.', '-') }}"
2 changes: 1 addition & 1 deletion roles/k3s/master/templates/k3s.service.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ After=network-online.target
Type=notify
ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args | default("") }}
ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ '--selinux' if selinux_mode in ['enforcing', 'permissive'] }} {{ extra_server_args | default("") }}
KillMode=process
Delegate=yes
# Having non-zero Limit*s causes performance problems due to accounting overhead
Expand Down
2 changes: 1 addition & 1 deletion roles/k3s/node/templates/k3s.service.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ After=network-online.target
Type=notify
ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/k3s agent --server https://{{ master_ip }}:6443 --token {{ hostvars[groups['master'][0]]['token'] }} {{ extra_agent_args | default("") }}
ExecStart=/usr/local/bin/k3s agent --server https://{{ master_ip }}:6443 --token {{ hostvars[groups['master'][0]]['token'] }} {{ '--selinux' if selinux_mode in ['enforcing', 'permissive'] }} {{ extra_agent_args | default("") }}
KillMode=process
Delegate=yes
# Having non-zero Limit*s causes performance problems due to accounting overhead
Expand Down
41 changes: 34 additions & 7 deletions roles/prereq/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,35 @@
---
- name: Set SELinux to disabled state
- name: Sets SELinux status
selinux:
state: disabled
when: ansible_distribution in ['CentOS', 'Red Hat Enterprise Linux']
state: "{{ selinux_mode }}"
policy: "{{ 'targeted' if selinux_mode in ['enforcing', 'permissive'] else omit }}"
when: ansible_distribution in ['CentOS', 'RedHat']

- name: Install Rancher GPG key for SELinux policies
rpm_key:
key: https://rpm.rancher.io/public.key
state: present
when: ansible_distribution in ['CentOS', 'RedHat'] and selinux_mode in ['enforcing', 'permissive']

- name: Install SELinux policies
yum:
name:
- container-selinux
- selinux-policy-base
- https://github.com/k3s-io/k3s-selinux/releases/download/{{ selinux_policy_version }}/k3s-selinux-{{ selinux_rpm_version }}.el{{ ansible_distribution_major_version }}.noarch.rpm
state: present
when: ansible_distribution in ['CentOS', 'RedHat'] and selinux_mode in ['enforcing', 'permissive']

- name: Populate service facts for firewalld
service_facts:
when: ansible_distribution in ['CentOS', 'RedHat']

- name: Stop and disable firewalld service
systemd:
name: firewalld
enabled: no
state: stopped
when: ansible_distribution in ['CentOS', 'RedHat'] and 'firewalld.service' in services

- name: Enable IPv4 forwarding
sysctl:
Expand All @@ -24,21 +51,21 @@
content: "br_netfilter"
dest: /etc/modules-load.d/br_netfilter.conf
mode: "u=rw,g=,o="
when: ansible_distribution in ['CentOS', 'Red Hat Enterprise Linux']
when: ansible_distribution in ['CentOS', 'RedHat']

- name: Load br_netfilter
modprobe:
name: br_netfilter
state: present
when: ansible_distribution in ['CentOS', 'Red Hat Enterprise Linux']
when: ansible_distribution in ['CentOS', 'RedHat']

- name: Set bridge-nf-call-iptables (just to be sure)
sysctl:
name: "{{ item }}"
value: "1"
state: present
reload: yes
when: ansible_distribution in ['CentOS', 'Red Hat Enterprise Linux']
when: ansible_distribution in ['CentOS', 'RedHat']
loop:
- net.bridge.bridge-nf-call-iptables
- net.bridge.bridge-nf-call-ip6tables
Expand All @@ -51,4 +78,4 @@
insertafter: EOF
path: /etc/sudoers
validate: 'visudo -cf %s'
when: ansible_distribution in ['CentOS', 'Red Hat Enterprise Linux']
when: ansible_distribution in ['CentOS', 'RedHat']