Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: 4.16.0
Affects Version/s: 4.15.z
Component/s: Node / Kubelet
Labels:
- triaged

Severity:
Important
Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.16.0
Target Backport Versions:

4.13.z, 4.14.z, 4.15.z

SFDC Cases Counter:
SFDC Cases Links:

Description of problem:

The kubelet is running with `unconfined_service_t`. It should run as `kubelet_exec_t`. This is causing all our plugins to fail because of Selinux denial.

sh-5.1# ps -AZ | grep kubelet
system_u:system_r:unconfined_service_t:s0 8719 ? 00:24:50 kubelet

This issue was previously observed and resolved in 4.14.10.

Version-Release number of selected component (if applicable):

OCP 4.15

How reproducible:

Run ps -AZ | grep kubelet to see kubelet running with wrong label

Steps to Reproduce:

    1.
    2.
    3.

Actual results:

    Kubelet is running as unconfined_service_t

Expected results:

    Kubelet should run as kubelet_exec_t

Additional info:

is depended on by

OCPBUGS-31576 SELinux: kubelet running with wrong label [release-4.15]

Closed

links to

openshift/machine-config-operator#4287: OCPBUGS-31376: kubelet: restorecon necessary files on kubelet's prestart

RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update

Assignee:: Ryan Phillips

Reporter:: Hersh Pathak

QA Contact:: Min Li

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2024/03/25 5:25 PM

Updated:: 2024/04/09 8:43 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates