diff --git a/.ci/openshift-ci/cluster/deployments/relable_selinux.yaml b/.ci/openshift-ci/cluster/deployments/relable_selinux.yaml new file mode 100644 index 000000000..8ae360e21 --- /dev/null +++ b/.ci/openshift-ci/cluster/deployments/relable_selinux.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: restorecon-daemonset + namespace: kube-system +spec: + selector: + matchLabels: + app: restorecon + template: + metadata: + labels: + app: restorecon + spec: + serviceAccountName: kata-deploy-sa + hostPID: true + containers: + - name: restorecon-container + image: alpine + securityContext: + privileged: true + command: ["/bin/sh", "-c", "nsenter --target 1 --mount bash -c \"ls -alZ /opt/kata/bin; semanage fcontext -a -t bin_t '/opt/kata/bin(/.*)?'; semanage fcontext -a -t bin_t '/opt/kata/libexec(/.*)?'; semanage fcontext -a -t bin_t '/opt/kata/runtime-rs/bin(/.*)?'; restorecon -Rv /opt/kata; ls -alZ /opt/kata/bin\""] diff --git a/.ci/openshift-ci/cluster/install_kata.sh b/.ci/openshift-ci/cluster/install_kata.sh index af4787034..ec660177d 100755 --- a/.ci/openshift-ci/cluster/install_kata.sh +++ b/.ci/openshift-ci/cluster/install_kata.sh @@ -181,3 +181,7 @@ if [ ${SELINUX_PERMISSIVE} == "yes" ]; then # The new SELinux configuration will trigger another reboot. wait_for_reboot fi + +# FIXME: Remove when https://github.com/kata-containers/kata-containers/pull/8417 is resolved +# Selinux context is currently not handled by kata-deploy +oc apply -f ${deployments_dir} relable_selinux.yaml diff --git a/.ci/openshift-ci/test.sh b/.ci/openshift-ci/test.sh index ad4ee6165..59cb5022a 100755 --- a/.ci/openshift-ci/test.sh +++ b/.ci/openshift-ci/test.sh @@ -19,7 +19,7 @@ export PATH=/tmp/shared:$PATH oc version || die "Test cluster is unreachable" info "Install and configure kata into the test cluster" -export SELINUX_PERMISSIVE="yes" +export SELINUX_PERMISSIVE="no" ${script_dir}/cluster/install_kata.sh || die "Failed to install kata-containers" info "Run test suite: $suite"