diff --git a/internal/app/machined/pkg/system/services/etcd.go b/internal/app/machined/pkg/system/services/etcd.go index 86b4ccb00c..3381aa6f09 100644 --- a/internal/app/machined/pkg/system/services/etcd.go +++ b/internal/app/machined/pkg/system/services/etcd.go @@ -105,7 +105,7 @@ func (e *Etcd) PreFunc(ctx context.Context, r runtime.Runtime) error { return err } - client, err := containerdapi.New(constants.CRIContainerdAddress) + client, err := containerdapi.New(constants.SystemContainerdAddress) if err != nil { return err } @@ -181,7 +181,7 @@ func (e *Etcd) Condition(r runtime.Runtime) conditions.Condition { // DependsOn implements the Service interface. func (e *Etcd) DependsOn(runtime.Runtime) []string { - return []string{"cri"} + return []string{"containerd"} } // Runner implements the Service interface. @@ -223,6 +223,7 @@ func (e *Etcd) Runner(r runtime.Runtime) (runner.Runner, error) { r.Config().Debug(), &args, runner.WithLoggingManager(r.Logging()), + runner.WithContainerdAddress(constants.SystemContainerdAddress), runner.WithNamespace(constants.SystemContainerdNamespace), runner.WithContainerImage(e.imgRef), runner.WithEnv(env), diff --git a/internal/app/machined/pkg/system/services/kubelet.go b/internal/app/machined/pkg/system/services/kubelet.go index 4f5a9ed599..c18176901c 100644 --- a/internal/app/machined/pkg/system/services/kubelet.go +++ b/internal/app/machined/pkg/system/services/kubelet.go @@ -61,7 +61,7 @@ func (k *Kubelet) PreFunc(ctx context.Context, r runtime.Runtime) error { spec := specResource.TypedSpec() - client, err := containerdapi.New(constants.CRIContainerdAddress) + client, err := containerdapi.New(constants.SystemContainerdAddress) if err != nil { return err } @@ -102,7 +102,7 @@ func (k *Kubelet) Condition(r runtime.Runtime) conditions.Condition { // DependsOn implements the Service interface. func (k *Kubelet) DependsOn(runtime.Runtime) []string { - return []string{"cri"} + return []string{"containerd"} } // Runner implements the Service interface. @@ -167,6 +167,7 @@ func (k *Kubelet) Runner(r runtime.Runtime) (runner.Runner, error) { r.Config().Debug() && r.Config().Machine().Type() == machine.TypeWorker, // enable debug logs only for the worker nodes &args, runner.WithLoggingManager(r.Logging()), + runner.WithContainerdAddress(constants.SystemContainerdAddress), runner.WithNamespace(constants.SystemContainerdNamespace), runner.WithContainerImage(k.imgRef), runner.WithEnv(environment.Get(r.Config())), diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33 index 7a1c7a2827..4555a532e5 100644 Binary files a/internal/pkg/selinux/policy/policy.33 and b/internal/pkg/selinux/policy/policy.33 differ diff --git a/internal/pkg/selinux/policy/selinux/services/cri.cil b/internal/pkg/selinux/policy/selinux/services/cri.cil index 58440404a1..8b9c641c46 100644 --- a/internal/pkg/selinux/policy/selinux/services/cri.cil +++ b/internal/pkg/selinux/policy/selinux/services/cri.cil @@ -15,16 +15,6 @@ (typetransition pod_containerd_t containerd_state_t process pod_t) (allow pod_t containerd_state_t (file (entrypoint execute_no_trans))) -(type etcd_t) -(call pod_p (etcd_t)) -; FIXME: insecure as anyone with access to the pod containerd may obtain this domain -(allow etcd_t containerd_state_t (file (entrypoint))) - -(type etcd_pki_t) -(call protected_f (etcd_pki_t)) -(allow etcd_pki_t tmpfs_t (filesystem (associate))) -(allow etcd_t etcd_pki_t (fs_classes (ro))) - (type cni_conf_t) (call filesystem_f (cni_conf_t)) (filecon "/etc/cni(/.*)?" any (system_u object_r cni_conf_t (systemLow systemLow))) @@ -37,10 +27,6 @@ (call filesystem_f (containerd_plugin_t)) (filecon "/opt/containerd(/.*)?" any (system_u object_r containerd_plugin_t (systemLow systemLow))) -(type etcd_data_t) -(call protected_f (etcd_data_t)) -(allow etcd_t etcd_data_t (fs_classes (rw))) - (type containerd_state_t) (call common_f (containerd_state_t)) diff --git a/internal/pkg/selinux/policy/selinux/services/kubelet.cil b/internal/pkg/selinux/policy/selinux/services/kubelet.cil index d451bf6e61..045fd3e22e 100644 --- a/internal/pkg/selinux/policy/selinux/services/kubelet.cil +++ b/internal/pkg/selinux/policy/selinux/services/kubelet.cil @@ -1,7 +1,7 @@ (type kubelet_t) -(call pod_p (kubelet_t)) -; FIXME: insecure as anyone with access to the pod containerd may obtain this domain -(allow kubelet_t containerd_state_t (file (entrypoint execute_no_trans))) +(call system_container_p (kubelet_t)) +(allow kubelet_t system_var_t (file (entrypoint execute execute_no_trans))) +(allow kubelet_t system_var_t (fs_classes (rw))) (type k8s_conf_t) (call filesystem_f (k8s_conf_t)) diff --git a/internal/pkg/selinux/policy/selinux/services/system-containers.cil b/internal/pkg/selinux/policy/selinux/services/system-containers.cil index c45640aac8..f0926394e3 100644 --- a/internal/pkg/selinux/policy/selinux/services/system-containers.cil +++ b/internal/pkg/selinux/policy/selinux/services/system-containers.cil @@ -17,3 +17,17 @@ (call system_socket_f (trustd_runtime_socket_t)) (allow trustd_t trustd_runtime_socket_t (sock_file (write))) (allow trustd_t trustd_runtime_socket_t (sock_file (relabelto))) + +(type etcd_t) +(call system_container_p (etcd_t)) +(allow etcd_t system_var_t (file (entrypoint execute execute_no_trans))) +(allow etcd_t system_var_t (fs_classes (rw))) + +(type etcd_pki_t) +(call protected_f (etcd_pki_t)) +(allow etcd_pki_t tmpfs_t (filesystem (associate))) +(allow etcd_t etcd_pki_t (fs_classes (ro))) + +(type etcd_data_t) +(call protected_f (etcd_data_t)) +(allow etcd_t etcd_data_t (fs_classes (rw)))