Skip to content

[feat] Setting timezone under SELinux. #12436

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[feat] Setting timezone under SELinux. #12436

wants to merge 1 commit into from
+26 −1

Conversation

bbaassssiiee
Copy link
Contributor

@bbaassssiiee bbaassssiiee commented Jul 30, 2025
edited by yankay
Loading

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:
Fix setting timezone under SELinux.

Which issue(s) this PR fixes:

Fixes #12435

Special notes for your reviewer:
Ensure SELinux is enforcing, pre-test with this command:

$ sudo timedatectl set-timezone Europe/Amsterdam
Failed to set time zone: Failed to update /etc/localtime

Does this PR introduce a user-facing change?:

[feat] Setting timezone under SELinux.

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 30, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @bbaassssiiee. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jul 30, 2025
@yankay
Copy link
Member

yankay commented Jul 31, 2025

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 31, 2025
@bbaassssiiee
Copy link
Contributor Author

For proper testing this default should change to:

preinstall_selinux_state: enforcing

That would make the cluster more secure by default. What do you think?

@yankay
Copy link
Member

yankay commented Jul 31, 2025
edited
Loading

HI @bbaassssiiee

It is not recommended to modify SELinux default settings. This is because kubeadm advises using permissive mode, as referenced at:
https://github.com/kubernetes/website/blob/main/content/en/docs/setup/production-environment/tools/kubeadm/install-kubeadm.md?plain=1#L273

Kubernetes provides native security mechanisms such as Pod Security Context. These enable granular permission control at the container level without relying on SELinux's enforcement.

@bbaassssiiee
Copy link
Contributor Author

I ran Kubespray with calico and local-path for months with SELinux, but don't just take my word for it. The Haven standard (compliance tests for Kubernetes by the Association of Dutch municipalities) requires SELinux or similar for other distros to enabled on the hosts.

This blog has background on why people think SELinux should be disabled, and why that is a myth.
https://dev.to/carminezacc/does-kubernetes-support-selinux-3oop

@bbaassssiiee bbaassssiiee marked this pull request as draft August 7, 2025 12:23
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 7, 2025
@bbaassssiiee
Copy link
Contributor Author

Converted to draft. This conditional should be kept:

 when:
    - ntp_timezone

@bbaassssiiee bbaassssiiee force-pushed the bugfix/12435 branch 2 times, most recently from 014d5ad to 2456c5b Compare August 29, 2025 10:02
@bbaassssiiee bbaassssiiee marked this pull request as ready for review August 29, 2025 10:03
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 29, 2025
@k8s-ci-robot k8s-ci-robot requested a review from yankay August 29, 2025 10:03
@bbaassssiiee
Copy link
Contributor Author

Made this more granular

@bbaassssiiee bbaassssiiee force-pushed the bugfix/12435 branch 2 times, most recently from e17fdac to cffc9bb Compare September 1, 2025 16:07
@bbaassssiiee
Copy link
Contributor Author

@yankay Tests pass now, please review.

@yankay yankay changed the title Fix for #12435 - setting timezone under SELinux. [feat] Setting timezone under SELinux. Sep 4, 2025
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Sep 4, 2025
@bbaassssiiee bbaassssiiee force-pushed the bugfix/12435 branch 2 times, most recently from c0e384f to c36d06d Compare September 4, 2025 12:30
@yankay
Copy link
Member

yankay commented Sep 5, 2025

Thanks @bbaassssiiee
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bbaassssiiee, yankay

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 5, 2025
@bbaassssiiee
Copy link
Contributor Author

CI pipeline failure seems unrelated to the PR https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/-/jobs/11245920993#L8374

@yankay
Copy link
Member

yankay commented Sep 11, 2025

Shall we rebase onto master and try again?
I see the latest master branch can still be built successfully.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yankay yankay yankay left review comments

@MrFreezeex MrFreezeex Awaiting requested review from MrFreezeex

@mzaian mzaian Awaiting requested review from mzaian

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Setting timezone fails under SELinux
3 participants
@bbaassssiiee @k8s-ci-robot @yankay