Fedora and RHEL use etc_t and the convention is <type_name>_t (#7891)

* Fedora and RHEL use etc_t and the convention is <type_name>_t * Docs: specify all values for preinstall_selinux_state * CI: Add Fedora 34 with SELinux in enforcing mode
3 years ago · 1afdb05ea9
5 changed files with 24 additions and 3 deletions
--- a/.gitlab-ci/packet.yml
+++ b/.gitlab-ci/packet.yml
@ -180,6 +180,13 @@ packet_fedora33-calico:
  variables:
    MITOGEN_ENABLE: "true"

+packet_fedora34-calico-selinux:
+  stage: deploy-part2
+  extends: .packet_periodic
+  when: on_success
+  variables:
+    MITOGEN_ENABLE: "true"
+
 packet_amazon-linux-2-aio:
  stage: deploy-part2
  extends: .packet_pr
--- a/docs/ci.md
+++ b/docs/ci.md
@ -12,7 +12,7 @@ centos8 |  :white_check_mark: | :x: | :x: | :x: | :white_check_mark: | :x: | :x:
 debian10 |  :x: | :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian9 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: |
 fedora33 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
-fedora34 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :white_check_mark: |
+fedora34 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: | :white_check_mark: |
 opensuse |  :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 oracle7 |  :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu16 |  :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | :white_check_mark: |
--- a/docs/vars.md
+++ b/docs/vars.md
@ -26,7 +26,7 @@ Some variables of note include:
 * *kube_version* - Specify a given Kubernetes version
 * *searchdomains* - Array of DNS domains to search when looking up hostnames
 * *nameservers* - Array of nameservers to use for DNS lookup
-* *preinstall_selinux_state* - Set selinux state, permitted values are permissive and disabled.
+* *preinstall_selinux_state* - Set selinux state, permitted values are permissive, enforcing and disabled.

 ## Addressing variables

--- a/roles/kubernetes/node/tasks/kubelet.yml
+++ b/roles/kubernetes/node/tasks/kubelet.yml
@ -17,7 +17,7 @@
  template:
    src: "kubelet.env.{{ kubeletConfig_api_version }}.j2"
    dest: "{{ kube_config_dir }}/kubelet.env"
-    setype: "{{ (preinstall_selinux_state == 'enforcing') | ternary('t_etc', omit) }}"
+    setype: "{{ (preinstall_selinux_state != 'disabled') | ternary('etc_t', omit) }}"
    backup: yes
    mode: 0640
  notify: Node | restart kubelet
--- a/tests/files/packet_fedora34-calico-selinux.yml
+++ b/tests/files/packet_fedora34-calico-selinux.yml
@ -0,0 +1,14 @@
+---
+# Instance settings
+cloud_image: fedora-34
+mode: default
+
+# Kubespray settings
+deploy_netchecker: true
+dns_min_replicas: 1
+kube_network_plugin: calico
+
+auto_renew_certificates: true
+
+# Test with SELinux in enforcing mode
+preinstall_selinux_state: enforcing