Documentation: Kernel modules (SELinux)

[ghost]

When running kube-vip on nodes with SELinux enabled it fails to load the kernel modules if not SELinux boolean domain_kernel_load_modules is set to true. I seen this being configured in other projects. Dan Walsh is arguing against this here and I agree with him - that we don't want to let any container load whatever kernel module it wants.

It might be a good idea to add a section to the documentation about making sure to load the modules ip_vs and ip_vs_rr before deploying kube-vip. I'm not sure if this should be a "Troubleshooting SELinux" section or a general recommendation/requirement.

---

Below are some symptoms for anyone finding this issue trying to get kube-vip running and having no idea what is going on (same as me from the beginning). If this is true, try loading the kernel modules ip_vs and ip_vs_rr.

• kube-vip pod in Error/CrashLoopBackOff
• kube-vip pod logs show

  time="2023-01-25T07:22:03Z" level=info msg="Starting IPVS LoadBalancer"
  time="2023-01-25T07:22:03Z" level=error msg="ensure IPVS kernel modules are loaded"
  time="2023-01-25T07:22:03Z" level=fatal msg="Error starting IPVS [netlink receive: no such file or directory]"
  

• Linux audit log show

  type=AVC msg=audit(1674633883.119:874): avc:  denied  { module_request } for  pid=15328 comm="kube-vip" kmod="net-pf-16-proto-16-family-IPVS" scontext=system_u:system_r:container_t:s0:c139,c162 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
  

Thanks!

[wyike]

My domain_kernel_load_modules is also 0. And I just run mobprobe ip_vs on the node to resolve the issue.