SELinux Overview

SELinux enforces mandatory access control policies that confine user programs and system services, as well as access to files and network resources. Limiting privilege to the minimum required to work reduces or eliminates the ability of these programs and daemons to cause harm if faulty or compromised.

Enabling SELinux in container runtime provides an additional security control to help further enforce isolation among deployed containers and the host.

This guide describes how to enable SELinux in Kubernetes environment provided by k0s on CentOS and Red Hat Enterprise Linux (RHEL).

Requirements

  • SELinux is enabled on host OS of the worker nodes.
  • SELinux has the container-selinux policy installed.
  • SELinux labels are correctly set for k0s installation files of the worker nodes.
  • SELinux is enabled in container runtime such as containerd on the worker nodes.

Check whether SELinux is enabled on host OS

SELinux is enabled on CentOS and RHEL by default. Below command output indicates SELinux is enabled.

  1. $ getenforce
  2. Enforcing

Install container-selinux

It is required to have container-selinux installed. In most Fedora based distributions including Fedora 37, Red Hat Enterprise Linux 7, 8 and 8, CentOS 7 and 8 and Rocky Linux 9 this can be achieved by installing the package container-selinux.

In RHEL 7 and CentOS 7 this is achieved by running:

  1. yum install -y container-selinux

In the rest of the metnioned distributions run:

  1. dnf install -y container-selinux

Set SELinux labels for k0s installation files

Run below commands on the host OS of the worker nodes.

  1. DATA_DIR="/var/lib/k0s"
  2. sudo semanage fcontext -a -t container_runtime_exec_t "${DATA_DIR}/bin/containerd.*"
  3. sudo semanage fcontext -a -t container_runtime_exec_t "${DATA_DIR}/bin/runc"
  4. sudo restorecon -R -v ${DATA_DIR}/bin
  5. sudo semanage fcontext -a -t container_var_lib_t "${DATA_DIR}/containerd(/.*)?"
  6. sudo semanage fcontext -a -t container_ro_file_t "${DATA_DIR}/containerd/io.containerd.snapshotter.*/snapshots(/.*)?"
  7. sudo restorecon -R -v ${DATA_DIR}/containerd

Enable SELinux in containerd of k0s

Add below lines to /etc/k0s/containerd.toml of the worker nodes. You need to restart k0s service on the node to make the change take effect.

  1. [plugins."io.containerd.grpc.v1.cri"]
  2. enable_selinux = true

Verify SELinux works in Kubernetes environment

By following the example Assign SELinux labels to a Container, deploy a testing pod using below YAML file:

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4. name: test-selinux
  5. spec:
  6. containers:
  7. - image: busybox
  8. name: test-selinux
  9. command: ["sleep", "infinity"]
  10. securityContext:
  11. seLinuxOptions:
  12. level: "s0:c123,c456"

After the pod starts, ssh to the worker node on which the pod is running and check the pod process. It should display the label s0:c123,c456 that you sepecified in YAML file:

  1. $ ps -efZ | grep -F 'sleep infinity'
  2. system_u:system_r:container_t:s0:c123,c456 root 3346 3288 0 16:39 ? 00:00:00 sleep infinity