[Bug]: After #1257 autoscaler stopped working.

[patope]

Description

#1257 broke auto scaler. Autoscaler runs fine with 2.13.1, but fails with 2.13.2. Cluster needs to be just created.

on pods logs:

F0312 16:22:32.698624       1 hetzner_cloud_provider.go:186] Failed to create Hetzner manager: failed to get ssh key error: Get "https://api.hetzner.cloud/v1/ssh_keys/19959902": tls: failed to verify certificate: x509: failed to load system roots and no roots provided; open /etc/ssl/certs: permission denied

Host audits:

type=AVC msg=audit(1710260420.902:1266): avc:  denied  { read } for  pid=4733 comm="system-upgrade-" name="certs" dev="overlay" ino=434 scontext=system_u:system_r:container_t:s0:c677,c872 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1710260420.902:1267): avc:  denied  { read } for  pid=4733 comm="system-upgrade-" name="ca-bundle.pem" dev="overlay" ino=433 scontext=system_u:system_r:container_t:s0:c677,c872 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1710260444.549:1547): avc:  denied  { read } for  pid=6274 comm="cluster-autosca" name="pem" dev="sda2" ino=296 scontext=system_u:system_r:container_t:s0:c517,c844 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0

audit2allow

# ausearch --raw | audit2allow 


#============= container_t ==============

#!!!! This avc can be allowed using the boolean 'container_read_certs'
allow container_t cert_t:dir read;

#!!!! This avc can be allowed using the boolean 'container_read_certs'
allow container_t cert_t:lnk_file read;

Kube.tf file

source = "kube-hetzner/kube-hetzner/hcloud"
  version = "2.13.2"

Screenshots

No response

Platform

Linux

[patope]

Problem seems to be in policy compilation

With 2.13.2 root's home folder contains only

• kube_hetzner_selinux.te

on 2.13.1 there are

• kube_hetzner_selinux.te
• kube_hetzner_selinux.mod
• kube_hetzner_selinux.pp

[lpellegr]

I just experienced the same problem, and it even caused a working cluster that updates by itself to stop working. Using version 2.13.1 helps, but you still need to recreate the cluster again from scratch.

[mateuszlewko]

it even caused a working cluster that updates by itself to stop working.

Sorry for off topic, but what do you mean by cluster updating itself? Do you mean automatic system updates, or do you have some automation that applies the newest version of this terraform module?

[lpellegr]

it even caused a working cluster that updates by itself to stop working.

Sorry for off topic, but what do you mean by cluster updating itself? Do you mean automatic system updates, or do you have some automation that applies the newest version of this terraform module?

I would say automatic system updates since I have no automation.

[mysticaltech]

@patope @lpellegr I will add the missing SELinux rules ASAP.

[patope]

@mysticaltech I already made PR #1272 to resolve this. Problem is unknown permissions on anon_inode

[mysticaltech]

@patope I don't understand, you are removing permissions in the PR, how can that help?

[patope]

@mysticaltech those permissions are not valid for anon_inode and policy compiler will fail on those.

[mysticaltech]

@patope Ok, I see. Thanks for the info.

[mysticaltech]

@patope @lpellegr Should be fixed in v2.13.3. Lesson learned, when modifying SElinux policies, always test if it compiles correctly 😅 And thanks again for the tip!

[lpellegr]

Thanks for the fix!

[brain-dev-null]

Thank you! 😄