-
I am trying to run Rook/Ceph with SELinux enforcing, I was successful setting the parameter in the helm chart "hostpathRequiresPrivileged" to get it working. But I am wanting to use it with a SELinux policy that restricts Rook/Ceph access to just what it needs to function. I am not well versed in creating SELinux policies so I have been exploring different policy generators, but I'm wondering if Rook provides an SELinux policy that I couldnt find in the repo. Or if someone has had success in creating a policy I would appreciate some assistance. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 7 replies
-
There is not a more specific policy for the same. |
Beta Was this translation helpful? Give feedback.
The
containerSecurityContext
only applies to the operator and toolbox pods, but at least it should already support the full securityContext options such asseLinuxOptions
.For all the ceph pods, the only security context currently applied is found in these helper methods, which don't have a way to override from the CR settings. Seems like we need a
seLinuxOptions
setting in the CephCluster CR to allow setting this (and the helm chart would also inherit this setting).