From aafa38476ac0ad9a5cba75e744a3e9badd8f9480 Mon Sep 17 00:00:00 2001 From: Bo Huang Date: Wed, 19 Aug 2020 21:18:10 -0700 Subject: [PATCH] Fix SELinux race condition on non-bootstrap controllers in multi-controller (#808) * Fix race condition for bootstrap-secrets SELinux context on non-bootstrap controllers in multi-controller FCOS clusters * On first boot from disk on non-bootstrap controllers, adding bootstrap-secrets races with kubelet.service starting, which can cause the secrets assets to have the wrong label until kubelet.service restarts (service, reboot, auto-update) * This can manifest as `kube-apiserver`, `kube-controller-manager`, and `kube-scheduler` pods crashlooping on spare controllers on first cluster creation --- CHANGES.md | 6 +++++- aws/fedora-coreos/kubernetes/fcc/controller.yaml | 1 + azure/fedora-coreos/kubernetes/fcc/controller.yaml | 1 + bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml | 1 + digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml | 1 + google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml | 1 + 6 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 3b7952e2..fc9b7d13 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -4,7 +4,11 @@ Notable changes between versions. ## Latest -### v1.18.8 +### Fedora CoreOS + +* Fix SELinux label of bootstrap-secrets on non-bootstrapping controllers ([#808](https://github.com/poseidon/typhoon/pull/808)) + +## v1.18.8 * Kubernetes [v1.18.8](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1188) * Migrate from Terraform v0.12.x to v0.13.x ([#804](https://github.com/poseidon/typhoon/pull/804)) (**action required**) diff --git a/aws/fedora-coreos/kubernetes/fcc/controller.yaml b/aws/fedora-coreos/kubernetes/fcc/controller.yaml index eff6fff7..0b04e113 100644 --- a/aws/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/aws/fedora-coreos/kubernetes/fcc/controller.yaml @@ -160,6 +160,7 @@ storage: mv manifests /opt/bootstrap/assets/manifests mv manifests-networking/* /opt/bootstrap/assets/manifests/ rm -rf assets auth static-manifests tls manifests-networking + chcon -R -u system_u -t container_file_t /etc/kubernetes/bootstrap-secrets - path: /opt/bootstrap/apply mode: 0544 contents: diff --git a/azure/fedora-coreos/kubernetes/fcc/controller.yaml b/azure/fedora-coreos/kubernetes/fcc/controller.yaml index 6949ba04..8e90442f 100644 --- a/azure/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/azure/fedora-coreos/kubernetes/fcc/controller.yaml @@ -159,6 +159,7 @@ storage: mv manifests /opt/bootstrap/assets/manifests mv manifests-networking/* /opt/bootstrap/assets/manifests/ rm -rf assets auth static-manifests tls manifests-networking + chcon -R -u system_u -t container_file_t /etc/kubernetes/bootstrap-secrets - path: /opt/bootstrap/apply mode: 0544 contents: diff --git a/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml b/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml index 4fa1342f..9ca7657b 100644 --- a/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml @@ -170,6 +170,7 @@ storage: mv manifests /opt/bootstrap/assets/manifests mv manifests-networking/* /opt/bootstrap/assets/manifests/ rm -rf assets auth static-manifests tls manifests-networking + chcon -R -u system_u -t container_file_t /etc/kubernetes/bootstrap-secrets - path: /opt/bootstrap/apply mode: 0544 contents: diff --git a/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml b/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml index 7e404fc2..e7278672 100644 --- a/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml @@ -166,6 +166,7 @@ storage: mv manifests /opt/bootstrap/assets/manifests mv manifests-networking/* /opt/bootstrap/assets/manifests/ rm -rf assets auth static-manifests tls manifests-networking + chcon -R -u system_u -t container_file_t /etc/kubernetes/bootstrap-secrets - path: /opt/bootstrap/apply mode: 0544 contents: diff --git a/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml b/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml index 5dbf6a4e..a3ac0401 100644 --- a/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml @@ -159,6 +159,7 @@ storage: mv manifests /opt/bootstrap/assets/manifests mv manifests-networking/* /opt/bootstrap/assets/manifests/ rm -rf assets auth static-manifests tls manifests-networking + chcon -R -u system_u -t container_file_t /etc/kubernetes/bootstrap-secrets - path: /opt/bootstrap/apply mode: 0544 contents: