Flatcar icon indicating copy to clipboard operation
Flatcar copied to clipboard
verified publisher icon flatcar

SELinux denials when using Cilium 1.17.3 (current latest) with Flatcar

Open tormath1 opened this issue 7 months ago • 0 comments

Description

When updating Kubernetes version in Flatcar test's suite, I tried to bump Cilium CNI version from 1.12.5 to 1.17.3 but it triggered a denial:

avc:  denied  { prog_load } for  pid=3545 comm="cilium-operator" scontext=system_u:system_r:container_t:s0:c117,c357 tcontext=system_u:system_r:container_t:s0:c117,c357 tclass=bpf permissive=0

Impact

Test suite is failing but not sure yet how it impacts actual usage of Cilium / Kubernetes / Flatcar.

Environment and steps to reproduce

  1. Set-up: Deploy a Kubernetes cluster
  2. Task: Deploy cilium CNI >= 1.17.3 (maybe lower version are affected as well)
  3. See the denial (note: you might need to remove the default audit-rules)

Expected behavior

No denial.

Additional information

I did not check carefully yet, but it might be something we could fix upstream.

tormath1 avatar May 13 '25 13:05 tormath1