Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: None
Affects Version/s: 4.15.z
Component/s: Node / Kubelet
Labels:
- pre-merge-verify-node
- triaged

Severity:
Important
Regression:
No
Blocked:
False
Release Note Text:
Fixed kubelet selinux labels on restart.
Release Note Type:
Bug Fix
Release Note Status:
In Progress
Target Version:

4.14.z
Target Backport Versions:

4.13.z, 4.14.z, 4.15.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

This is a clone of issue ~~OCPBUGS-31576~~. The following is the description of the original issue:
—
Description of problem:

The kubelet is running with `unconfined_service_t`. It should run as `kubelet_exec_t`. This is causing all our plugins to fail because of Selinux denial.

sh-5.1# ps -AZ | grep kubelet
system_u:system_r:unconfined_service_t:s0 8719 ? 00:24:50 kubelet

This issue was previously observed and resolved in 4.14.10.

Version-Release number of selected component (if applicable):

OCP 4.15

How reproducible:

Run ps -AZ | grep kubelet to see kubelet running with wrong label

Steps to Reproduce:

    1.
    2.
    3.

Actual results:

    Kubelet is running as unconfined_service_t

Expected results:

    Kubelet should run as kubelet_exec_t

Additional info:

clones

OCPBUGS-31576 SELinux: kubelet running with wrong label [release-4.15]

Closed

is blocked by

OCPBUGS-31576 SELinux: kubelet running with wrong label [release-4.15]

Closed

links to

openshift/machine-config-operator#4307: [release-4.14]: OCPBUGS-31731: kubelet: restorecon necessary files on kubelet's prestart

RHSA-2024:1891 OpenShift Container Platform 4.14.z security update

Assignee:: Node Team Bot Account

Reporter:: OpenShift Prow Bot

QA Contact:: Min Li

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/04/04 7:42 AM

Updated:: 2024/09/19 3:33 AM

Resolved:: 2024/09/19 3:33 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates