Skip to content

Commit 03b7cf2

Browse files
jsafranejsafrane
committed
Run SELinux warning controller
selinux-warning-controller is an optional controller in KCM that emits metrics + events about SELinux usage of persistent volumes in the cluster. Since most Kubernetes distros don't care about SELinux, this controller needs explicit opt-in on KCM cmdline. OCP needs the controller: - to explain to users why their pods may not be running. - to collect metrics about such promebatic pods, to emit alerts and telemetry. The controller is disabled by default in Kubernetes 1.32 (under SELinuxChangePolicy feature gate). Enhancement: https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling
1 parent 9a7a572 commit 03b7cf2

File tree

2 files changed

+6
-0
lines changed

2 files changed

+6
-0
lines changed

bindata/assets/config/defaultconfig.yaml

+3
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,9 @@ extendedArguments:
2626
- "-ttl" # TODO: this is excluded in kube-core, but not in #21092
2727
- "-bootstrapsigner"
2828
- "-tokencleaner"
29+
# Most upstream clusters don't care about SELinux, therefore this controller is opt-in. OCP cares.
30+
# Owner: OCP storage team, @jsafrane.
31+
- "selinux-warning-controller"
2932
cloud-provider:
3033
- "external"
3134
cluster-signing-duration:

pkg/cmd/render/render_test.go

+3
Original file line numberDiff line numberDiff line change
@@ -189,6 +189,7 @@ func TestRenderCommand(t *testing.T) {
189189
"--controllers=-bootstrapsigner",
190190
"--controllers=-tokencleaner",
191191
"--controllers=-ttl",
192+
"--controllers=selinux-warning-controller",
192193
"--enable-dynamic-provisioning=true",
193194
"--feature-gates=Bar=false",
194195
"--feature-gates=Foo=true",
@@ -268,6 +269,7 @@ func TestRenderCommand(t *testing.T) {
268269
"--controllers=-bootstrapsigner",
269270
"--controllers=-tokencleaner",
270271
"--controllers=-ttl",
272+
"--controllers=selinux-warning-controller",
271273
"--enable-dynamic-provisioning=true",
272274
"--feature-gates=Bar=false",
273275
"--feature-gates=Foo=true",
@@ -333,6 +335,7 @@ func TestRenderCommand(t *testing.T) {
333335
"--controllers=-bootstrapsigner",
334336
"--controllers=-tokencleaner",
335337
"--controllers=-ttl",
338+
"--controllers=selinux-warning-controller",
336339
"--enable-dynamic-provisioning=true",
337340
"--feature-gates=AwesomeNewFeature=true",
338341
"--feature-gates=BadFailingFeature=false",

0 commit comments

Comments
 (0)