Merge pull request #684 from kube-hetzner/staging

longhorn_volume_size and selinux proper activation for k3s
kube-hetzner · Mar 29, 2023 · 18f86a9 · 18f86a9
2 parents b6210f2 + 604d165
commit 18f86a9
Show file tree

Hide file tree

Showing 6 changed files with 57 additions and 39 deletions.
diff --git a/agents.tf b/agents.tf
@@ -65,6 +65,7 @@ resource "null_resource" "agents" {
       node-ip       = module.agents[each.key].private_ipv4_address
       node-label    = each.value.labels
       node-taint    = each.value.taints
+      selinux       = true
     })
     destination = "/tmp/config.yaml"
   }
@@ -97,22 +98,22 @@ resource "null_resource" "agents" {
 }
 
 resource "hcloud_volume" "longhorn_volume" {
-  for_each = { for k, v in local.agent_nodes : k => v if((lookup(v, "longhorn_volume_size", 0) >= 10) && (lookup(v, "longhorn_volume_size", 0) <= 10000) && var.enable_longhorn) }
+  for_each = { for k, v in local.agent_nodes : k => v if((v.longhorn_volume_size >= 10) && (v.longhorn_volume_size <= 10000) && var.enable_longhorn) }
 
   labels = {
     provisioner = "terraform"
     cluster     = var.cluster_name
     scope       = "longhorn"
   }
   name      = "${var.cluster_name}-longhorn-${module.agents[each.key].name}"
-  size      = lookup(local.agent_nodes[each.key], "longhorn_volume_size", 0)
+  size      = local.agent_nodes[each.key].longhorn_volume_size
   server_id = module.agents[each.key].id
   automount = true
   format    = var.longhorn_fstype
 }
 
 resource "null_resource" "configure_longhorn_volume" {
-  for_each = { for k, v in local.agent_nodes : k => v if((lookup(v, "longhorn_volume_size", 0) >= 10) && (lookup(v, "longhorn_volume_size", 0) <= 10000) && var.enable_longhorn) }
+  for_each = { for k, v in local.agent_nodes : k => v if((v.longhorn_volume_size >= 10) && (v.longhorn_volume_size <= 10000) && var.enable_longhorn) }
 
   triggers = {
     agent_id = module.agents[each.key].id

diff --git a/autoscaler-agents.tf b/autoscaler-agents.tf
@@ -78,6 +78,7 @@ data "cloudinit_config" "autoscaler-config" {
           flannel-iface = local.flannel_iface
           node-label    = local.default_agent_labels
           node-taint    = local.default_agent_taints
+          selinux       = true
         })
         install_k3s_agent_script     = join("\n", concat(local.install_k3s_agent, ["systemctl start k3s-agent"]))
         cloudinit_write_files_common = local.cloudinit_write_files_common

diff --git a/control_planes.tf b/control_planes.tf
@@ -112,6 +112,7 @@ resource "null_resource" "control_planes" {
           advertise-address           = module.control_planes[each.key].private_ipv4_address
           node-label                  = each.value.labels
           node-taint                  = each.value.taints
+          selinux                     = true
           write-kubeconfig-mode       = "0644" # needed for import into rancher
         },
         lookup(local.cni_k3s_settings, var.cni_plugin, {}),

diff --git a/init.tf b/init.tf
@@ -24,6 +24,7 @@ resource "null_resource" "first_control_plane" {
           advertise-address           = module.control_planes[keys(module.control_planes)[0]].private_ipv4_address
           node-taint                  = local.control_plane_nodes[keys(module.control_planes)[0]].taints
           node-label                  = local.control_plane_nodes[keys(module.control_planes)[0]].labels
+          selinux                     = true
         },
         lookup(local.cni_k3s_settings, var.cni_plugin, {}),
         var.use_control_plane_lb ? {

diff --git a/locals.tf b/locals.tf
@@ -76,12 +76,12 @@ locals {
       format("%s-%s-%s", pool_index, node_index, nodepool_obj.name) => {
         nodepool_name : nodepool_obj.name,
         server_type : nodepool_obj.server_type,
-        longhorn_volume_size : lookup(nodepool_obj, "longhorn_volume_size", 0),
+        longhorn_volume_size : coalesce(nodepool_obj.longhorn_volume_size, 0),
         floating_ip : lookup(nodepool_obj, "floating_ip", false),
         location : nodepool_obj.location,
         labels : concat(local.default_agent_labels, nodepool_obj.labels),
         taints : concat(local.default_agent_taints, nodepool_obj.taints),
-        backups : nodepool_obj.backups,
+        backups : lookup(nodepool_obj, "backups", false),
         index : node_index
       }
     }
@@ -557,14 +557,23 @@ EOF
     module kube_hetzner_selinux 1.0;
 
     require {
-            type iscsid_t;
-            type iscsid_exec_t;
-            type var_run_t;
-            class file { execute execute_no_trans };
-            class sock_file write;
-            class unix_stream_socket connectto;
+        type iscsid_t;
+        type iscsid_exec_t;
+        type var_run_t;
+        type init_t;
+        type unlabeled_t;
+        type systemd_logind_t;
+        type systemd_hostnamed_t;
+        type container_t;
+        type cert_t;
+        class file { open read execute execute_no_trans };
+        class sock_file write;
+        class unix_stream_socket connectto;
+        class dir { search rmdir read add_name remove_name };
+        class lnk_file { read create };
     }
 
+    #============= iscsid_t ==============
     # Allow iscsid to execute in its own domain
     allow iscsid_t iscsid_exec_t:file execute;
 
@@ -574,33 +583,34 @@ EOF
     # Allow iscsid to connect to unix_stream_socket
     allow iscsid_t var_run_t:unix_stream_socket connectto;
 
-    require {
-      type init_t;
-      type unlabeled_t;
-      class dir add_name;
-    }
-
     #============= init_t ==============
+    # Allow init_t to add names to unlabeled directories
     allow init_t unlabeled_t:dir add_name;
 
-    require {
-      type unlabeled_t;
-      type init_t;
-      class dir remove_name;
-    }
-
-    #============= init_t ==============
+    # Allow init_t to remove names from unlabeled directories
     allow init_t unlabeled_t:dir remove_name;
 
-    require {
-      type unlabeled_t;
-      type init_t;
-      class lnk_file create;
-    }
-
-    #============= init_t ==============
+    # Allow init_t to create symbolic links in unlabeled directories
     allow init_t unlabeled_t:lnk_file create;
 
+    # Allow init_t to remove unlabeled directories
+    allow init_t unlabeled_t:dir rmdir;
+
+    #============= systemd_logind_t ==============
+    # Allow search operation for systemd-logind
+    allow systemd_logind_t unlabeled_t:dir search;
+
+    #============= systemd_hostnamed_t ==============
+    # Allow search operation for systemd-hostnamed
+    allow systemd_hostnamed_t unlabeled_t:dir search;
+
+    #============= container_t ==============
+    # Allow read operation for cluster-autoscaler and system-upgrade containers
+    allow container_t cert_t:dir read;
+    allow container_t cert_t:lnk_file read;
+    allow container_t cert_t:file read;
+    allow container_t cert_t:file open;
+
 # Create the k3s registries file if needed
 %{if var.k3s_registries != ""}
 # Create k3s registries file
@@ -667,5 +677,8 @@ EOT
 - [systemctl, restart, NetworkManager]
 - [systemctl, status, NetworkManager]
 - [ip, route, add, default, via, '172.31.1.1', dev, 'eth0']
+
+# Cleanup some logs
+- [truncate, '-s', '0', '/var/log/audit/audit.log']
 EOT
 }
diff --git a/variables.tf b/variables.tf
@@ -104,14 +104,15 @@ variable "control_plane_nodepools" {
 variable "agent_nodepools" {
   description = "Number of agent nodes."
   type = list(object({
-    name        = string
-    server_type = string
-    location    = string
-    backups     = optional(bool)
-    floating_ip = optional(bool)
-    labels      = list(string)
-    taints      = list(string)
-    count       = number
+    name                 = string
+    server_type          = string
+    location             = string
+    backups              = optional(bool)
+    floating_ip          = optional(bool)
+    labels               = list(string)
+    taints               = list(string)
+    count                = number
+    longhorn_volume_size = optional(number)
   }))
   default = []
 }