Empty seLinuxOptions Blocks Trigger K8sPSPSELinuxV2
Empty SELinux blocks are causing the K8sPSPSELinuxV2 policy to get activated and blocking installations.
seLinuxOptions: {}
This has been seen in Thanos and Redis packages (redis was seen via the argocd installation getting blocked)
{"level":"info","ts":1706025263.6377065,"logger":"webhook","msg":"denied admission: SELinux options is not allowed, pod: argocd-argocd-redis-bb-master-0, container metrics. Allowed options: []","hookType":"validation","process":"admission","details":{},"event_type":"violation","constraint_name":"selinux-policy","constraint_group":"constraints.gatekeeper.sh","constraint_api_version":"v1beta1","constraint_kind":"K8sPSPSELinuxV2","constraint_action":"deny","resource_group":"","resource_api_version":"v1","resource_kind":"Pod","resource_namespace":"argocd","resource_name":"argocd-argocd-redis-bb-master-0","request_username":"system:serviceaccount:kube-system:statefulset-controller"}
It seems too that adding a gatekeeper policy exception does not work. The only known work-around at the moment is to make sure the packages don't declare an empty seLinuxOptions: {}
block . For example, adding these to the exceptions list did not work.
- thanos/thanos-query-frontend-.?
- thanos/thanos-query-.?
- thanos/thanos-storagegateway-.?
or
- thanos/.*
or
- thanos/.?
Relates to thanos#33 (closed)
Edited by Michael Martin