Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 4.16.0
Affects Version/s: 4.15.z
Component/s: Node / Kubelet
Labels:
- pre-merge-verify-node
- triaged

Severity:
Important
Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.15.z
Target Backport Versions:

4.13.z, 4.14.z, 4.15.z

SFDC Cases Counter:
SFDC Cases Links:

Description of problem:

The kubelet is running with `unconfined_service_t`. It should run as `kubelet_exec_t`. This is causing all our plugins to fail because of Selinux denial.

sh-5.1# ps -AZ | grep kubelet
system_u:system_r:unconfined_service_t:s0 8719 ? 00:24:50 kubelet

This issue was previously observed and resolved in 4.14.10.

Version-Release number of selected component (if applicable):

OCP 4.15

How reproducible:

Run ps -AZ | grep kubelet to see kubelet running with wrong label

Steps to Reproduce:

    1.
    2.
    3.

Actual results:

    Kubelet is running as unconfined_service_t

Expected results:

    Kubelet should run as kubelet_exec_t

Additional info:

blocks

OCPBUGS-31731 SELinux: kubelet running with wrong label [release-4.15]

Verified

depends on

OCPBUGS-31376 SELinux: kubelet running with wrong label

Verified

is cloned by

OCPBUGS-31731 SELinux: kubelet running with wrong label [release-4.15]

Verified

links to

openshift/machine-config-operator#4297: [release-4.15]: OCPBUGS-31576: kubelet: restorecon necessary files on kubelet's prestart

Assignee:: Node Team Bot Account

Reporter:: Hersh Pathak

QA Contact:: Min Li

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/04/01 2:37 PM

Updated:: 2024/04/15 9:42 PM

Resolved:: 2024/04/15 9:42 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates