Flatcar icon indicating copy to clipboard operation
Flatcar copied to clipboard
verified publisher icon flatcar

Flannel >= 0.17.0 is crashing with enforced SELinux

Open tormath1 opened this issue 3 years ago • 0 comments

Description

While integrating kubernetes-1.24.1, we bumped the flannel tested version from 0.16.3 to 0.18.1 - we notified that the kube-flannel daemon set is unable to start because of missing SELinux rule:

Jun 10 14:47:54 localhost kernel: audit: type=1400 audit(1654872474.130:1604): avc:  denied  { read } for  pid=6286 comm="iptables" name="xtables.lock" dev="tmpfs" ino=1366 scontext=system_u:system_r:svirt_lxc_net_t:s0:c336,c891 tcontext=system_u:object_r:iptables_runtime_t:s0 tclass=file permissive=0

The issue has always been there but silently ignored until this commit: https://github.com/flannel-io/flannel/commit/9dfcc8787f66211a749933a29d97060b27dec0f5#diff-27988e531dd370eec963c5e4e9be79bb158baa292798a2f59a13a031e1ab8f6aR196

Impact

Unable to run Kubernetes with flannel CNI in enforced SELinux environment

Environment and steps to reproduce

  1. Can be reproduced with Kubeadm test: kubeadm.v1.23.4.flannel.base

Additional information

  • A current workaround is to deactivate SELinux (sudo setenforce 0)
  • Can be solved with: https://github.com/flatcar-linux/Flatcar/issues/479 since it pulls the correct rules to transition from container_t (a.k.a svirt_lxc_net_t) to iptables_t

tormath1 avatar Jun 16 '22 11:06 tormath1