From ba485cb9da4c9f7db469c38672de772a43333ad2 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Thu, 28 Nov 2024 15:56:44 +0100 Subject: [PATCH] refactor: run kubelet and etcd in system containerd This change allows us to ensure their contexts are protected by SELinux policy, as well as making CRI containerd only host containers managed by Kubernetes. Signed-off-by: Dmitry Sharshakov --- .../app/machined/pkg/system/services/etcd.go | 5 +++-- .../machined/pkg/system/services/kubelet.go | 5 +++-- internal/pkg/selinux/policy/policy.33 | Bin 27068 -> 27236 bytes .../selinux/policy/selinux/services/cri.cil | 14 -------------- .../policy/selinux/services/kubelet.cil | 6 +++--- .../selinux/services/system-containers.cil | 14 ++++++++++++++ 6 files changed, 23 insertions(+), 21 deletions(-) diff --git a/internal/app/machined/pkg/system/services/etcd.go b/internal/app/machined/pkg/system/services/etcd.go index 86b4ccb00c..3381aa6f09 100644 --- a/internal/app/machined/pkg/system/services/etcd.go +++ b/internal/app/machined/pkg/system/services/etcd.go @@ -105,7 +105,7 @@ func (e *Etcd) PreFunc(ctx context.Context, r runtime.Runtime) error { return err } - client, err := containerdapi.New(constants.CRIContainerdAddress) + client, err := containerdapi.New(constants.SystemContainerdAddress) if err != nil { return err } @@ -181,7 +181,7 @@ func (e *Etcd) Condition(r runtime.Runtime) conditions.Condition { // DependsOn implements the Service interface. func (e *Etcd) DependsOn(runtime.Runtime) []string { - return []string{"cri"} + return []string{"containerd"} } // Runner implements the Service interface. @@ -223,6 +223,7 @@ func (e *Etcd) Runner(r runtime.Runtime) (runner.Runner, error) { r.Config().Debug(), &args, runner.WithLoggingManager(r.Logging()), + runner.WithContainerdAddress(constants.SystemContainerdAddress), runner.WithNamespace(constants.SystemContainerdNamespace), runner.WithContainerImage(e.imgRef), runner.WithEnv(env), diff --git a/internal/app/machined/pkg/system/services/kubelet.go b/internal/app/machined/pkg/system/services/kubelet.go index 4f5a9ed599..c18176901c 100644 --- a/internal/app/machined/pkg/system/services/kubelet.go +++ b/internal/app/machined/pkg/system/services/kubelet.go @@ -61,7 +61,7 @@ func (k *Kubelet) PreFunc(ctx context.Context, r runtime.Runtime) error { spec := specResource.TypedSpec() - client, err := containerdapi.New(constants.CRIContainerdAddress) + client, err := containerdapi.New(constants.SystemContainerdAddress) if err != nil { return err } @@ -102,7 +102,7 @@ func (k *Kubelet) Condition(r runtime.Runtime) conditions.Condition { // DependsOn implements the Service interface. func (k *Kubelet) DependsOn(runtime.Runtime) []string { - return []string{"cri"} + return []string{"containerd"} } // Runner implements the Service interface. @@ -167,6 +167,7 @@ func (k *Kubelet) Runner(r runtime.Runtime) (runner.Runner, error) { r.Config().Debug() && r.Config().Machine().Type() == machine.TypeWorker, // enable debug logs only for the worker nodes &args, runner.WithLoggingManager(r.Logging()), + runner.WithContainerdAddress(constants.SystemContainerdAddress), runner.WithNamespace(constants.SystemContainerdNamespace), runner.WithContainerImage(k.imgRef), runner.WithEnv(environment.Get(r.Config())), diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33 index 7a1c7a28279fa21697ffa4c450583ce828d3d848..4555a532e532da02413146c669086ccb6c2047a2 100644 GIT binary patch delta 3837 zcmY*bS!i5k6h42_Oxh;RQk!OJ(#h5}YqKv+XRIqP@6bN>0{ zd-LcAbLXFfSs5kOHwLcNjhM4MS~p-$^P6>D<^+FPcdKHEh>ZN>FLvSF(xqpfOPsr~ zw7ywBFY}f9F%#hj_1DcjM;k7i1^&6A*_`2=#wIhvM_PCCRO8-VgQDy85xaO{b!oj= zq;q_;rHnsnoHP^sZ{uw<#UC^!%qia9JZBd9eDiTL&G(xFX4vtSf9P8iopIchb73m~DZW%WtVt?2in@@xmDOdc^tK?KV zZ(|{!cJ~~kY&pMB_g7^(mAihT6mx7vPRQAd*qpTmO08r<0%Z!m{jSqY+9GEZ5TPmZ z$+>_iBSI0{VReeA$P+B;0>L-BYjZ=CMu5NRt_?u|FXAyfKu6>xWo;qx7oi&K5h(-m zoQzbtlO8#2UkN;+fIKBU-Q%wvmu8l@8d0}E6jkfUH!}H3Pe}+NlnYTw187Ma0idW3 zGCW-ZPo}M7I8#n7&;qscy`H)pc(hXfwWqWOo)kJ*AGg-%fJL6sC4v` z(wt&fUPy-}oRKz>Lt8KSO5q3uXMiE%zmv3>XzzBb-mzGa%QQNKnEJh~VlN!L?eTmYoU`2nv3=QfI#efE-A@ zE2SeTskYzQall-83a4pD>1<(~9@vPxLHMg9wfyIi+AQF`pLYj3D?nZa1!tujTvzc# zz+Vhq?Io(S0r_fRtaz)?PWuTxyB4`JSXu#8PFYki%SZ_82T|JjSg9U2To)6MNH!^Hxak+a-#~VbsV4ruI()4Ne(iK!Wa44xL+VO1#>~ZmBK}Xe2^kjnI|O9`X*EN8%;s*wdS^xmPG5|5UtlTG@(q=(_$jZYh zV3N|GN-3vb06^y+I!e6=Eosprjkx+iSc@znjty5kH>@@< zAftsLPDo;?RW~TY=%q3(cfQ4(-yhyH6&BiMNL}(5gnLa5X{rsTNHLjBtr&?yzD&>f zh9zN4U;+OU5% zn9U)1v`es+OjGyvcG~WKF(CU5#`5PZ2&E%BrW8aHN&~>;<#oFJJQptLc)OkUlNps? zP_K^+I^(B}4|}?^Lk3QB4tstkVmh)@H3rZDor3Z7k5eCN)XspdN(hXirhtwK(^ELa zJZ%byBTytPKp=n`%t}z)&~qXObG1nT-8-&cMk_uTjVZCmuWS6E3IONLL1}es$fY;9 zrBt7!Nw<1r+G&kZP50f!(O5Y*#B9H_@~ue zE?g<$w-UMBF7JmcxjdVCi`MU=bxS_Iv9^uBUMc3W)ouLS%1*wzn#XyosdtNgPs{te zwLE@lb>}tt`W^XLnaJZWR(l-vt%+g@k|zm$o~YrIi6Xv}$mh%QhO@U5DQBN07CE?9 V!1ZfIe0wb)>BlSYKD&0@{0BJutv&z% delta 3755 zcmYjUOKenS6h8lyj+74V6#5uSVcKa6mg)Qbpq-)9CluNu!=tpFq0^aZL6Aj_8e;}y zVxm!lp2WB?5tb?>8WIu`O$@kW;X>kq7>NlBU6^QMqDBdx@AjTMcW#>b??319o$q}A zxwnrWn6JJ!U;KNZ(EE-5*Rc=66K0hs!=vUjza8#3&+)zR^*s|rWaJN@)TQ;r<>z0_ zu3t)QY{fml-aKuRe82fav&<_kFPQ{CY-u+OT-@4b&hkiCCC|6++dVF}?ii^TE@cuM zRkFLp*E*~DM(eDZ=l@!7niKq4Th^T79qkL|9A9idV$SfL_K2CZVwHA$XJY)QW5pci z`(4$%*cmg65}|kZm@7kiBej~id|^GY;gj9t{72`EnHK+p<|x0~)n-oe=UqWFBN2x9 zZuf4k>%MM|@xAW1_-?qIlRa;kS$^EpZsJ_gn=&i>N^itW@txjleJ7=egk1Gf&C^Jb zVse$c)^+x}jLPVYy&j{Te6_ElEKV26Lw?E%Cj36bxBG%eQk0@z+cHT>>a*8-X)hJZ z8m#%nT5Z~>&Dn3E7H2I;c&@)L7o#zHM!a4Q|6PmN&)V@uY1D~*oQ^wwKyuc$nWH%; zPn;IWEBk(;E!eNMY;v?nCGuyeKycN_r5Ir&Oyn$D;uNR-VpJ+daXLjlS<@8~vZiR8 zte-@l8rTG64H{A4UTdARC>^x-0dB!wgZ2h%{j>l8eB!kv@zDY$XPK6l9V0k&+s-iB z=UOW`00Ov8Kt8RQD&%rkripoYpuq=PH85WsXhqdLXBG87_egj zwssiu({)HZZF2d?pKdNBFpgTqM}>JUIM4G^c3P8DDY41gursGQNs({>WrAjv0kQsZLn zk+poHTsPdF163*tto3vwK!qIufwh&eQS<<)Qw8>OwmtS0Y(nOPP>Y0Kv|dFA35gA+ zM2;rpQW~;CvsN)nR$nlByio~*lYU4d!C3=A4@x=oqluvnBz`UO#L}W3TmYT2fsPUf zM=Fa^liexq9%(E@m;f)2^bL*ExC0E1QO9xAVG7=EcI<(`zl==hz=Zy`O;%bY7**zu zxwM2>x*vDV59mib(?K0hoJE<~C=vt#-w7LEc9SfAC$cArn0i=~c|tvisrz$s?6pe= z=ztR+HmZLRt!uv<+Q$~7nQJhVJfUb3dmC^9#bl6&Jb;K>Bej7NnS}bem8C})` zlyU(_d`*s1FM0XfXjuZ!5yb$o+HoiWF)<}DWYq@E(fFOz>EJ|hs=#`o$Zi_f9KwW} zvWNmc*eM}R)TDM2HQ_W1ST!FW1}cC>d3363qe4Dj2S#mWYopQ7W}6pqu}>eWI7j+^ zf#UGoLUAxsBBP>JO#nbz5NwnfkfiEtrB(+VY!o!s`CL-Jb{0RVGpf`lb&*(Tm1P2F zNWdAX3{ujL2Px>-fC&W$g`i>?PBbZ(#zA}wL{4TVs@F4uld5!Ka42f9g4YYMf;K6* zSYGEIJgodyvRay#OOpX;pX_5k!&j>Zi?f;lAlx+SJ{|zNhK=eYN#~rI9T6>~-*F<| zh&5V6LX&`11zSzk4yY8Zs=q*4To+0ba3Z zQ!sfHqiRP5IxqSB`2HMlYwoCw7kwi|v>E1Qy$Lv_)a>2 zZ{z1<>3TMq0N+gexG@ueYa|nbO94rxkJ2H2KU2kX=S%o@rjnDH5`LJe^wSj_SR7e= z{KQwYAr56L`FAmxu)oh|2gR|JZ^`{qc02!&t+Mj`Bj4B7N2{s(;7hjIV_ diff --git a/internal/pkg/selinux/policy/selinux/services/cri.cil b/internal/pkg/selinux/policy/selinux/services/cri.cil index 58440404a1..8b9c641c46 100644 --- a/internal/pkg/selinux/policy/selinux/services/cri.cil +++ b/internal/pkg/selinux/policy/selinux/services/cri.cil @@ -15,16 +15,6 @@ (typetransition pod_containerd_t containerd_state_t process pod_t) (allow pod_t containerd_state_t (file (entrypoint execute_no_trans))) -(type etcd_t) -(call pod_p (etcd_t)) -; FIXME: insecure as anyone with access to the pod containerd may obtain this domain -(allow etcd_t containerd_state_t (file (entrypoint))) - -(type etcd_pki_t) -(call protected_f (etcd_pki_t)) -(allow etcd_pki_t tmpfs_t (filesystem (associate))) -(allow etcd_t etcd_pki_t (fs_classes (ro))) - (type cni_conf_t) (call filesystem_f (cni_conf_t)) (filecon "/etc/cni(/.*)?" any (system_u object_r cni_conf_t (systemLow systemLow))) @@ -37,10 +27,6 @@ (call filesystem_f (containerd_plugin_t)) (filecon "/opt/containerd(/.*)?" any (system_u object_r containerd_plugin_t (systemLow systemLow))) -(type etcd_data_t) -(call protected_f (etcd_data_t)) -(allow etcd_t etcd_data_t (fs_classes (rw))) - (type containerd_state_t) (call common_f (containerd_state_t)) diff --git a/internal/pkg/selinux/policy/selinux/services/kubelet.cil b/internal/pkg/selinux/policy/selinux/services/kubelet.cil index d451bf6e61..045fd3e22e 100644 --- a/internal/pkg/selinux/policy/selinux/services/kubelet.cil +++ b/internal/pkg/selinux/policy/selinux/services/kubelet.cil @@ -1,7 +1,7 @@ (type kubelet_t) -(call pod_p (kubelet_t)) -; FIXME: insecure as anyone with access to the pod containerd may obtain this domain -(allow kubelet_t containerd_state_t (file (entrypoint execute_no_trans))) +(call system_container_p (kubelet_t)) +(allow kubelet_t system_var_t (file (entrypoint execute execute_no_trans))) +(allow kubelet_t system_var_t (fs_classes (rw))) (type k8s_conf_t) (call filesystem_f (k8s_conf_t)) diff --git a/internal/pkg/selinux/policy/selinux/services/system-containers.cil b/internal/pkg/selinux/policy/selinux/services/system-containers.cil index c45640aac8..f0926394e3 100644 --- a/internal/pkg/selinux/policy/selinux/services/system-containers.cil +++ b/internal/pkg/selinux/policy/selinux/services/system-containers.cil @@ -17,3 +17,17 @@ (call system_socket_f (trustd_runtime_socket_t)) (allow trustd_t trustd_runtime_socket_t (sock_file (write))) (allow trustd_t trustd_runtime_socket_t (sock_file (relabelto))) + +(type etcd_t) +(call system_container_p (etcd_t)) +(allow etcd_t system_var_t (file (entrypoint execute execute_no_trans))) +(allow etcd_t system_var_t (fs_classes (rw))) + +(type etcd_pki_t) +(call protected_f (etcd_pki_t)) +(allow etcd_pki_t tmpfs_t (filesystem (associate))) +(allow etcd_t etcd_pki_t (fs_classes (ro))) + +(type etcd_data_t) +(call protected_f (etcd_data_t)) +(allow etcd_t etcd_data_t (fs_classes (rw)))