Skip to content

kubeadm: bump versions#297

Merged
tormath1 merged 4 commits intoflatcar-masterfrom
tormath1/kubeadm
Feb 22, 2022
Merged

kubeadm: bump versions#297
tormath1 merged 4 commits intoflatcar-masterfrom
tormath1/kubeadm

Conversation

@tormath1
Copy link
Copy Markdown
Contributor

@tormath1 tormath1 commented Feb 21, 2022
edited
Loading

in this PR, we officially bump Kubernetes tested versions. From what I understood, Kubernetes was already pulling stable version for the images, so it's only an update of the binaries (kubeadm, kubelet, etc.).

CNI version has been upgraded to 1.0.1 - since 1.0.0 Flannel plugin has been moved to its own repository and it's being installed by an init-container in the kube-flannel.yml plugin.

This leads to an issue when trying to copy CNI plugin from the container to /opt/cni because from a SELinux PoV labels are mismatching between hosts and container and this can be added to Flatcar virt policy in a second time. (see also: flatcar/Flatcar#635)

The latest commit kubeadm/template: update /opt/cni SELinux label type can be dropped once the patch has been applied on every channel.

Testing done

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)

@tormath1
kola/test/kubeadm: bump kubernetes versions
ee734fd 
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1
kola/test/kubeadm: bump CNI and Flannel version
40dad7d 
main change is that flannel CNI plugin is no more provided by CNI
plugins.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1
kubeadm/template: update /opt/cni SELinux label type
f5587c1 
this is required since recent Flannel installs its CNI by copying from
container to host system.

without the right label on `/opt/cni` the copy fails with SELinux in
enforcing mode because the label does not match.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1 tormath1 self-assigned this Feb 21, 2022
@tormath1
changelog: add entry
4bd24c5 
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1 tormath1 mentioned this pull request Feb 22, 2022
Open
@tormath1 tormath1 marked this pull request as ready for review February 22, 2022 09:08
@tormath1 tormath1 requested a review from a team February 22, 2022 09:08
jepio
jepio approved these changes Feb 22, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@jepio jepio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change itself is good, but I wonder about /usr/bin/chcon -R /opt/cni -t svirt_lxc_file_t: is this likely something users might also need to set when they deploy with kubeadm? If so then we should add it to our selinux docs (if we have some, otherise let's start some :) )

@tormath1
Copy link
Copy Markdown
Contributor Author

tormath1 commented Feb 22, 2022

@jepio - thanks for the review ! There is a SELinux doc (a bit outdated but not on the commands: https://www.flatcar.org/docs/latest/setup/security/selinux/).

is this likely something users might also need to set when they deploy with kubeadm.

I would say "Yes" under these two conditions:

  • SELinux in enforcing mode (Flatcar is shipped in permissive mode)
  • Flannel CNI >= 0.15.0

If so then we should add it to our selinux docs

I opened a GH issue to track that: flatcar/Flatcar#635, this is something we should fix in the OS. The issue also mentions the mitigation, so I'm not sure it requires a dedicated documentation. What do you think ?

@jepio
Copy link
Copy Markdown
Member

jepio commented Feb 22, 2022

Then atleast link the issue from the limitations section?

@tormath1 tormath1 mentioned this pull request Feb 22, 2022
Merged
@tormath1
Copy link
Copy Markdown
Contributor Author

tormath1 commented Feb 22, 2022

@jepio done in: flatcar-archive/flatcar-docs#212. Merging this PR.

@tormath1 tormath1 merged commit 9113c13 into flatcar-master Feb 22, 2022
@tormath1 tormath1 deleted the tormath1/kubeadm branch February 22, 2022 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jepio jepio jepio approved these changes

Assignees

@tormath1 tormath1

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tormath1 @jepio