Bug 1130206

Summary: New policy for kubernetes and etcd
Product: [Fedora] Fedora Reporter: Eric Paris <eparis>
Component: selinux-policyAssignee: Jan Chaloupka <jchaloup>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: dominick.grift, dwalsh, eparis, lvrabec, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 12:01:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1153036    
Bug Blocks:    

Description Eric Paris 2014-08-14 14:24:54 UTC
yum -y install dnf dnf-plugins-core
dnf copr enable walters/atomic-next
yum install -y etcd kubernetes

systemctl start etcd kube-apiserver kube-controller-manager kubelet kube-proxy

Create a file, apache.json with the following:

{
  "id": "apache",
  "desiredState": {
    "manifest": {
      "version": "v1beta1",
      "id": "apache-1",
      "containers": [{
        "name": "master",
        "image": "fedora/apache",
        "ports": [{
          "containerPort": 80,
          "hostPort": 80
        }]
      }]
    }
  },
  "labels": {
    "name": "apache"
  }
}

kubecfg -c apache.json create pods  (this one might take a bit)
kubecfg list pods
kubecfg list minions
kubecfg delete pods/apache
kubecfg list pods
kubecfg list minions

Comment 1 Eric Paris 2014-08-14 14:31:56 UTC
apiserver and controller manager should only need network access and read access to config files.  all output should be to stdout/stderr (which go back to systemd/journald)

etcd simlarly should only need network access, read only in /etc, plus write access in /var/lib/etcd/

proxy and kubelet I don't really know.  kubelet mostly just makes calls to docker, but it also needs to talk on the network and stuff.

Comment 2 Lukas Vrabec 2014-10-21 13:01:46 UTC
Hi everyone, 

What is state of this bug? 

I found this https://github.com/eparis/kubernetes-selinux

Eric, Can this be assigned to you?

Comment 3 Jaroslav Reznik 2015-03-03 17:03:26 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22

Comment 4 Fedora End Of Life 2016-07-19 12:01:06 UTC
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.