Loading...

XML

Word

Printable

Test Coverage:

-
Regression:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
The selinux_confinement_of_daemons rule failed running on the kubelet because of the permissions necessary for the kubelet to run.

This rule is used in RHCOS profiles and is being temporarily disabled because of the permissions required by the kubelet to run properly.

Show
The selinux_confinement_of_daemons rule failed running on the kubelet because of the permissions necessary for the kubelet to run. This rule is used in RHCOS profiles and is being temporarily disabled because of the permissions required by the kubelet to run properly.
Release Note Type:
Bug Fix
Internal Whiteboard:

Description of problem:

In OCP 4.12 cluster, kubelet service is running with unconfined_service_t instead of container_runtime

Version-Release number of selected component (if applicable):

$ kubelet --version
Kubernetes v1.25.2+5497c42

How reproducible:

After running command "sudo ps -eZ | grep "unconfined_service_t"" on both master and worker nodes in OCP 4.12 cluster

Steps to Reproduce:

1. oc debug node/<nodename>
2. sudo ps -eZ | grep "unconfined_service_t"

Actual results:

$ sudo ps -eZ | grep "unconfined_service_t"
system_u:system_r:unconfined_service_t:s0 1412919 ? 00:57:57 kubelet

Expected results:

$ sudo ps -eZ | grep "unconfined_service_t"
system_u:system_r:container_runtime_t:s0 1412919 ? 00:57:57 kubelet

Additional info:

links to

pull request

mentioned on