Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add fapolicyd to k3s #9533

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add fapolicyd to k3s #9533

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,10 @@ set -o noglob
# - INSTALL_K3S_CHANNEL
# Channel to use for fetching k3s download URL.
# Defaults to 'stable'.
#
# - INSTALL_K3S_SKIP_FAPOLICY
# If set, the install script will skip adding fapolicy rules
# Default is not set.

GITHUB_URL=https://github.com/k3s-io/k3s/releases
GITHUB_PR_URL=""
Expand Down Expand Up @@ -911,6 +915,13 @@ elif type zypper >/dev/null 2>&1; then
\$uninstall_cmd
rm -f /etc/zypp/repos.d/rancher-k3s-common*.repo
fi
if type fapolicyd >/dev/null 2>&1; then
if [ -f /etc/fapolicyd/rules.d/80-k3s.rules ]; then
rm -f /etc/fapolicyd/rules.d/80-k3s.rules
fi
fagenrules --load
systemctl restart fapolicyd
fi
EOF
$SUDO chmod 755 ${UNINSTALL_K3S_SH}
$SUDO chown root:root ${UNINSTALL_K3S_SH}
Expand Down Expand Up @@ -1100,6 +1111,40 @@ service_enable_and_start() {
return 0
}

# verify_fapolicyd verifies existence of
# fapolicyd executable.
verify_fapolicyd() {
cmd="$(command -v "fapolicyd")"
if [ -z "${cmd}" ]; then
return 1
fi

return 0
}

setup_fapolicy_rules() {
if [ -r /etc/redhat-release ] || [ -r /etc/centos-release ] || [ -r /etc/oracle-release ] || [ -r /etc/rocky-release ]; then
verify_fapolicyd || return
# setting k3s fapolicyd rules
cat <<-EOF >>"/etc/fapolicyd/rules.d/80-k3s.rules"
allow perm=any all : dir=/var/lib/rancher/
allow perm=any all : dir=/opt/cni/
allow perm=any all : dir=/run/k3s/
allow perm=any all : dir=/var/lib/kubelet/
EOF
if [ -z "${INSTALL_K3S_SKIP_START}" ]; then
fagenrules --load || fatal "failed to load k3s fapolicyd rules"
systemctl restart fapolicyd
fi
fi
}

install_fapolicy() {
if [ -z "${INSTALL_K3S_SKIP_FAPOLICY}" ]; then
setup_fapolicy_rules
fi
}

# --- re-evaluate args to include env command ---
eval set -- $(escape "${INSTALL_K3S_EXEC}") $(quote "$@")

Expand All @@ -1115,6 +1160,7 @@ eval set -- $(escape "${INSTALL_K3S_EXEC}") $(quote "$@")
systemd_disable
create_env_file
create_service_file
install_fapolicy
service_enable_and_start
}