Currently, it is not possible to run Kubeadm with SELinux enabled. This is bad; it means that Kubernetes' official installation instructions include `setenforce 0`. But it's hard to argue the point when a kubeadm install -- soon to be the main install option for Kubernetes, and the only one which currently works on Atomic -- simply doesn't work with SELinux enabled.
The current blocker is that kubeadm init will hang forever at this stage: <master/apiclient> created API client, waiting for the control plane to become ready The errors shown in the journal are here: https://gist.github.com/jberkus/4e926c76fbf772ffee4eb774cb0a4c60 That's on Fedora 25 Atomic. I've had the exact same experience on CentOS 7 and RHEL 7, although the error messages are not identical. Seems like this is on us to fix, if we want people to keep SELinux enforcing. I don;t know if we need to push patches to Kubeadm, or to SELinux, or both. -- -- Josh Berkus Project Atomic Red Hat OSAS
