mirror of
https://github.com/puppetmaster/typhoon.git
synced 2024-12-25 18:49:33 +01:00
Fix SELinux race condition on non-bootstrap controllers in multi-controller (#808)
* Fix race condition for bootstrap-secrets SELinux context on non-bootstrap controllers in multi-controller FCOS clusters * On first boot from disk on non-bootstrap controllers, adding bootstrap-secrets races with kubelet.service starting, which can cause the secrets assets to have the wrong label until kubelet.service restarts (service, reboot, auto-update) * This can manifest as `kube-apiserver`, `kube-controller-manager`, and `kube-scheduler` pods crashlooping on spare controllers on first cluster creation
This commit is contained in:
parent
9a07f1d30b
commit
aafa38476a
@ -4,7 +4,11 @@ Notable changes between versions.
|
|||||||
|
|
||||||
## Latest
|
## Latest
|
||||||
|
|
||||||
### v1.18.8
|
### Fedora CoreOS
|
||||||
|
|
||||||
|
* Fix SELinux label of bootstrap-secrets on non-bootstrapping controllers ([#808](https://github.com/poseidon/typhoon/pull/808))
|
||||||
|
|
||||||
|
## v1.18.8
|
||||||
|
|
||||||
* Kubernetes [v1.18.8](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1188)
|
* Kubernetes [v1.18.8](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1188)
|
||||||
* Migrate from Terraform v0.12.x to v0.13.x ([#804](https://github.com/poseidon/typhoon/pull/804)) (**action required**)
|
* Migrate from Terraform v0.12.x to v0.13.x ([#804](https://github.com/poseidon/typhoon/pull/804)) (**action required**)
|
||||||
|
@ -160,6 +160,7 @@ storage:
|
|||||||
mv manifests /opt/bootstrap/assets/manifests
|
mv manifests /opt/bootstrap/assets/manifests
|
||||||
mv manifests-networking/* /opt/bootstrap/assets/manifests/
|
mv manifests-networking/* /opt/bootstrap/assets/manifests/
|
||||||
rm -rf assets auth static-manifests tls manifests-networking
|
rm -rf assets auth static-manifests tls manifests-networking
|
||||||
|
chcon -R -u system_u -t container_file_t /etc/kubernetes/bootstrap-secrets
|
||||||
- path: /opt/bootstrap/apply
|
- path: /opt/bootstrap/apply
|
||||||
mode: 0544
|
mode: 0544
|
||||||
contents:
|
contents:
|
||||||
|
@ -159,6 +159,7 @@ storage:
|
|||||||
mv manifests /opt/bootstrap/assets/manifests
|
mv manifests /opt/bootstrap/assets/manifests
|
||||||
mv manifests-networking/* /opt/bootstrap/assets/manifests/
|
mv manifests-networking/* /opt/bootstrap/assets/manifests/
|
||||||
rm -rf assets auth static-manifests tls manifests-networking
|
rm -rf assets auth static-manifests tls manifests-networking
|
||||||
|
chcon -R -u system_u -t container_file_t /etc/kubernetes/bootstrap-secrets
|
||||||
- path: /opt/bootstrap/apply
|
- path: /opt/bootstrap/apply
|
||||||
mode: 0544
|
mode: 0544
|
||||||
contents:
|
contents:
|
||||||
|
@ -170,6 +170,7 @@ storage:
|
|||||||
mv manifests /opt/bootstrap/assets/manifests
|
mv manifests /opt/bootstrap/assets/manifests
|
||||||
mv manifests-networking/* /opt/bootstrap/assets/manifests/
|
mv manifests-networking/* /opt/bootstrap/assets/manifests/
|
||||||
rm -rf assets auth static-manifests tls manifests-networking
|
rm -rf assets auth static-manifests tls manifests-networking
|
||||||
|
chcon -R -u system_u -t container_file_t /etc/kubernetes/bootstrap-secrets
|
||||||
- path: /opt/bootstrap/apply
|
- path: /opt/bootstrap/apply
|
||||||
mode: 0544
|
mode: 0544
|
||||||
contents:
|
contents:
|
||||||
|
@ -166,6 +166,7 @@ storage:
|
|||||||
mv manifests /opt/bootstrap/assets/manifests
|
mv manifests /opt/bootstrap/assets/manifests
|
||||||
mv manifests-networking/* /opt/bootstrap/assets/manifests/
|
mv manifests-networking/* /opt/bootstrap/assets/manifests/
|
||||||
rm -rf assets auth static-manifests tls manifests-networking
|
rm -rf assets auth static-manifests tls manifests-networking
|
||||||
|
chcon -R -u system_u -t container_file_t /etc/kubernetes/bootstrap-secrets
|
||||||
- path: /opt/bootstrap/apply
|
- path: /opt/bootstrap/apply
|
||||||
mode: 0544
|
mode: 0544
|
||||||
contents:
|
contents:
|
||||||
|
@ -159,6 +159,7 @@ storage:
|
|||||||
mv manifests /opt/bootstrap/assets/manifests
|
mv manifests /opt/bootstrap/assets/manifests
|
||||||
mv manifests-networking/* /opt/bootstrap/assets/manifests/
|
mv manifests-networking/* /opt/bootstrap/assets/manifests/
|
||||||
rm -rf assets auth static-manifests tls manifests-networking
|
rm -rf assets auth static-manifests tls manifests-networking
|
||||||
|
chcon -R -u system_u -t container_file_t /etc/kubernetes/bootstrap-secrets
|
||||||
- path: /opt/bootstrap/apply
|
- path: /opt/bootstrap/apply
|
||||||
mode: 0544
|
mode: 0544
|
||||||
contents:
|
contents:
|
||||||
|
Loading…
Reference in New Issue
Block a user