From a69ac0bfbe5ac2451722f065d5ac738143bcd9be Mon Sep 17 00:00:00 2001 From: "Rostislav M. Georgiev" Date: Thu, 4 Oct 2018 05:18:00 +0300 Subject: [PATCH] install-kubeadm: Extend set SELinux in permissive mode (#10150) The CentsOS/RHEL/... section mentiones that SELinux must be put in permissive mode, but the supplied command does the job only for the current boot. Once the system is restarted SELinux can again enter enforcing mode thus breaking a Kubernetes cluster. Fix this by adding a sed command that permanently changes the SELinux mode to permissive. Signed-off-by: Rostislav M. Georgiev --- content/en/docs/setup/independent/install-kubeadm.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/content/en/docs/setup/independent/install-kubeadm.md b/content/en/docs/setup/independent/install-kubeadm.md index d59c613c1d..b9e9025609 100644 --- a/content/en/docs/setup/independent/install-kubeadm.md +++ b/content/en/docs/setup/independent/install-kubeadm.md @@ -147,14 +147,20 @@ repo_gpgcheck=1 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg exclude=kube* EOF + +# Set SELinux in permissive mode (effectively disabling it) setenforce 0 +sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config + yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes + systemctl enable kubelet && systemctl start kubelet ``` **Note:** - - Disabling SELinux by running `setenforce 0` is required to allow containers to access the host filesystem, which is required by pod networks for example. + - Setting SELinux in permissive mode by running `setenforce 0` and `sed ...` effectively disables it. + This is required to allow containers to access the host filesystem, which is needed by pod networks for example. You have to do this until SELinux support is improved in the kubelet. - Some users on RHEL/CentOS 7 have reported issues with traffic being routed incorrectly due to iptables being bypassed. You should ensure `net.bridge.bridge-nf-call-iptables` is set to 1 in your `sysctl` config, e.g.