Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-3628

Need to exclude kubelet daemon is running in unconfined_t

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • False
    • Important

      Description of problem:

      Customer just upgraded to 0.1.61 on OpenShift version 4.12.26. 

The rhcos4-selinux-confinement-of-daemons rule has been disabled in this release meaning that any daemon could be running in unconfined_t and we would not fail a compliance check for it. The customer does not have any operational issues, more of a security concern that this rule has been fully disabled and not fixed to allow for kubelet to run in unconfined_t. 

The issues I linked mentioned that this is a goal to turn rhcos4-selinux-confinement-of-daemons back on and make an exception for the kubelet process, but I have not seen this issue tracked anywhere so I made a ticket to get an update on this.

      Slack Discussion Tracker: https://redhat-internal.slack.com/archives/CHCRR73PF/p1692096177479849

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:

      1.
2.
3.

      Actual results:

       

      Expected results:

       

      Additional info:

       

              Unassigned Unassigned
              rhn-support-mbagga Mithilesh Bagga (Inactive)
              Xiaojie Yuan Xiaojie Yuan
              Maria Simon Marcos Maria Simon Marcos
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: