mirror of
https://github.com/rancher/rancher-docs.git
synced 2026-05-16 01:53:51 +00:00
Document SELinux support in K3s
This commit is contained in:
Craig Jellick
@@ -212,4 +212,18 @@ sudo iptables -F
|
||||
sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
|
||||
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
|
||||
sudo reboot
|
||||
```
|
||||
```
|
||||
|
||||
# SELinux Support (Experimental)
|
||||
|
||||
As of release v1.17.4+k3s1, experimental support for SELinux has been added to K3s's embedded containerd. If you are installing K3s on a system where SELinux is enabled by default (such as CentOS), you must ensure the proper SELinux policies have been installed. The [install script]({{<baseurl>}}/k3s/latest/en/installation/install-options/#installation-script-options) will fail if they are not. The necessary policies can be installed with the following commands:
|
||||
```
|
||||
yum install -y container-selinux selinux-policy-base
|
||||
rpm -i https://rpm.rancher.io/k3s-selinux-0.1.1-rc1.el7.noarch.rpm
|
||||
```
|
||||
|
||||
To force the install script to log a warning rather than fail, you can set the following environment variable: `INSTALL_K3S_SELINUX_WARN=true`.
|
||||
|
||||
You can turn off SELinux enforcement in the embedded containerd by launching K3s with the `--disable-selinux` flag.
|
||||
|
||||
Note that support for SELinux in containerd is still under development. Progress can be tracked in [this pull request](https://github.com/containerd/cri/pull/1246).
|
||||
|
||||
Reference in New Issue
Block a user