Fix bootstrap mount to use shared volume SELinux label

* Race: During initial bootstrap, static control plane pods could hang with Permission denied to bootstrap secrets. A manual fix involved restarting Kubelet, which relabeled mounts The race had no effect on subsequent reboots. * bootstrap.service runs podman with a private unshared mount of /etc/kubernetes/bootstrap-secrets which uses an SELinux MCS label with a category pair. However, bootstrap-secrets should be shared as its mounted by Docker pods kube-apiserver, kube-scheduler, and kube-controller-manager. Restarting Kubelet was a manual fix because Kubelet relabels all /etc/kubernetes * Fix bootstrap Pod to use the shared volume label, which leaves bootstrap-secrets files with SELinux level s0 without MCS * Also allow failed bootstrap.service to be re-applied. This was missing on bare-metal and AWS
2025-08-11 13:26:04 +02:00 · 2020-04-19 16:14:16 -07:00
parent 2b1b918b43
commit feac94605a
6 changed files with 9 additions and 5 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -13,6 +13,8 @@ Notable changes between versions.

 ### Fedora CoreOS

+* Fix race condition during bootstrap related to SELinux shared content label ([#708](https://github.com/poseidon/typhoon/pull/708))
+
 #### Azure

 * Add support for Fedora CoreOS ([#704](https://github.com/poseidon/typhoon/pull/704))