On 11/22/2016 05:15 PM, Josh Berkus wrote: > Currently, it is not possible to run Kubeadm with SELinux enabled. > > This is bad; it means that Kubernetes' official installation > instructions include `setenforce 0`. But it's hard to argue the point > when a kubeadm install -- soon to be the main install option for > Kubernetes, and the only one which currently works on Atomic -- simply > doesn't work with SELinux enabled. > > The current blocker is that kubeadm init will hang forever at this stage: > > <master/apiclient> created API client, waiting for the control plane to > become ready > > > The errors shown in the journal are here: > > https://gist.github.com/jberkus/4e926c76fbf772ffee4eb774cb0a4c60 > > That's on Fedora 25 Atomic. I've had the exact same experience on > CentOS 7 and RHEL 7, although the error messages are not identical. > > Seems like this is on us to fix, if we want people to keep SELinux > enforcing. I don;t know if we need to push patches to Kubeadm, or to > SELinux, or both. >
What AVC's are you seeing? Where is the bugzilla for this? ausearch -m avc -ts recent
