kubeadm: don't customize etcd selinux label

The original change that added the unconfined label included a comment indicating it won't be needed in the future. See: kubernetes#33555 (comment) That time is now. kubernetes#33663 has landed and means we no longer have to go out of our way to make that work. Removing the label also increases security since there wasn't really a good reason for etcd to be run with such broad selinux privileges. This also will allow kubeadm to avoid errors on distros without an spc_t type, such as Gentoo and Container Linux (at the time of writing at least). Fixes kubernetes/kubeadm#269
luxas · Jul 20, 2017 · 644aef1 · 644aef1
1 parent d9bf88c
commit 644aef1
Showing 1 changed file with 0 additions and 7 deletions.
diff --git a/cmd/kubeadm/app/phases/controlplane/manifests.go b/cmd/kubeadm/app/phases/controlplane/manifests.go
@@ -119,13 +119,6 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
 			LivenessProbe: componentProbe(2379, "/health", v1.URISchemeHTTP),
 		}, certsVolume(cfg), etcdVolume(cfg), k8sVolume())
 
-		etcdPod.Spec.SecurityContext = &v1.PodSecurityContext{
-			SELinuxOptions: &v1.SELinuxOptions{
-				// Unconfine the etcd container so it can write to the data dir with SELinux enforcing:
-				Type: "spc_t",
-			},
-		}
-
 		staticPodSpecs[etcd] = etcdPod
 	}