On Tue, Nov 22, 2016 at 2:38 PM, Daniel J Walsh <dwa...@redhat.com> wrote: > > > On 11/22/2016 05:15 PM, Josh Berkus wrote: >> Currently, it is not possible to run Kubeadm with SELinux enabled. >> >> This is bad; it means that Kubernetes' official installation >> instructions include `setenforce 0`. But it's hard to argue the point >> when a kubeadm install -- soon to be the main install option for >> Kubernetes, and the only one which currently works on Atomic -- simply >> doesn't work with SELinux enabled. >> >> The current blocker is that kubeadm init will hang forever at this stage: >> >> <master/apiclient> created API client, waiting for the control plane to >> become ready >> >> >> The errors shown in the journal are here: >> >> https://gist.github.com/jberkus/4e926c76fbf772ffee4eb774cb0a4c60 >> >> That's on Fedora 25 Atomic. I've had the exact same experience on >> CentOS 7 and RHEL 7, although the error messages are not identical. >> >> Seems like this is on us to fix, if we want people to keep SELinux >> enforcing. I don;t know if we need to push patches to Kubeadm, or to >> SELinux, or both. >> > > What AVC's are you seeing? Where is the bugzilla for this? > > ausearch -m avc -ts recent
https://paste.fedoraproject.org/488671/79856867/ This is from a kubeadm that's packaged up in a copr: https://copr.fedorainfracloud.org/coprs/jasonbrooks/kube-release/ The kubernetes project provides rpms for centos and ubuntu, and there are a few things about the way they pkg it that conflict w/ atomic. Some more info at https://jebpages.com/2016/11/01/installing-kubernetes-on-centos-atomic-host-with-kubeadm/. > >
