cli: add --selinux flag to agent/server sub-cmds (#2111)

* cli: add --selinux flag to agent/server sub-cmds

Introduces --selinux flag to affirmatively enable SELinux in containerd.
Deprecates --disable-selinux flag which now defaults to true which
auto-detection of SELinux configuration for containerd is no longer
supported.  Specifying both --selinux and --disable-selinux will result
in an error message encouraging you to pick a side.

* Update pkg/agent/containerd/containerd.go

update log warning message about enabled selinux host but disabled runtime

Co-authored-by: Brad Davidson <brad@oatmail.org>
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>

pkg/agent/config/config.go

@@ -399,7 +399,7 @@ func get(envInfo *cmds.Agent, proxy proxy.Proxy) (*config.Node, error) {
 
 	nodeConfig := &config.Node{
 		Docker:                   envInfo.Docker,
-		DisableSELinux:           envInfo.DisableSELinux,
+		SELinux:                  envInfo.EnableSELinux,
 		ContainerRuntimeEndpoint: envInfo.ContainerRuntimeEndpoint,
 		FlannelBackend:           controlConfig.FlannelBackend,
 	}
@@ -484,7 +484,6 @@ func get(envInfo *cmds.Agent, proxy proxy.Proxy) (*config.Node, error) {
 	nodeConfig.AgentConfig.DisableKubeProxy = controlConfig.DisableKubeProxy
 	nodeConfig.AgentConfig.Rootless = envInfo.Rootless
 	nodeConfig.AgentConfig.PodManifests = filepath.Join(envInfo.DataDir, DefaultPodManifestPath)
-	nodeConfig.DisableSELinux = envInfo.DisableSELinux
 	nodeConfig.AgentConfig.ProtectKernelDefaults = envInfo.ProtectKernelDefaults
 
 	return nodeConfig, nil

pkg/agent/containerd/containerd.go

@@ -233,15 +233,10 @@ func setupContainerdConfig(ctx context.Context, cfg *config.Node) error {
 	if err != nil {
 		return errors.Wrap(err, "failed to detect selinux")
 	}
-	if cfg.DisableSELinux {
+	switch {
-		containerdConfig.SELinuxEnabled = false
+	case !cfg.SELinux && selEnabled:
-		if selEnabled {
+		logrus.Warn("SELinux is enabled on this host, but " + version.Program + " has not been started with --selinux - containerd SELinux support is disabled")
-			logrus.Warn("SELinux is enabled for system but has been disabled for containerd by override")
+	case cfg.SELinux && !selConfigured:
-		}
-	} else {
-		containerdConfig.SELinuxEnabled = selEnabled
-	}
-	if containerdConfig.SELinuxEnabled && !selConfigured {
 		logrus.Warnf("SELinux is enabled for "+version.Program+" but process is not running in context '%s', "+version.Program+"-selinux policy may need to be applied", SELinuxContextType)
 	}
 

pkg/agent/templates/templates.go

@@ -10,7 +10,6 @@ import (
 type ContainerdConfig struct {
 	NodeConfig            *config.Node
 	IsRunningInUserNS     bool
-	SELinuxEnabled        bool
 	PrivateRegistryConfig *Registry
 }
 
@@ -21,7 +20,7 @@ const ContainerdConfigTemplate = `
 [plugins.cri]
   stream_server_address = "127.0.0.1"
   stream_server_port = "10010"
-  enable_selinux = {{ .SELinuxEnabled }}
+  enable_selinux = {{ .NodeConfig.SELinux }}
 
 {{- if .IsRunningInUserNS }}
   disable_cgroup = true

pkg/cli/cmds/agent.go

@@ -4,6 +4,7 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/pkg/errors"
 	"github.com/rancher/k3s/pkg/version"
 	"github.com/rancher/spur/cli"
 	"github.com/rancher/spur/cli/altsrc"
@@ -31,7 +32,7 @@ type Agent struct {
 	Rootless                 bool
 	RootlessAlreadyUnshared  bool
 	WithNodeID               bool
-	DisableSELinux           bool
+	EnableSELinux            bool
 	ExtraKubeletArgs         []string
 	ExtraKubeProxyArgs       []string
 	Labels                   []string
@@ -139,25 +140,47 @@ var (
 		Destination: &AgentConfig.Labels,
 	}
 	DisableSELinuxFlag = cli.BoolFlag{
-		Name:        "disable-selinux",
+		Name:   "disable-selinux",
-		Usage:       "(agent/node) Disable SELinux in containerd if currently enabled",
+		Usage:  "(deprecated) Use --selinux to explicitly enable SELinux",
-		Hidden:      true,
+		Hidden: true,
-		Destination: &AgentConfig.DisableSELinux,
+		Value:  true, // disabled by default
 	}
 	ProtectKernelDefaultsFlag = cli.BoolFlag{
 		Name:        "protect-kernel-defaults",
 		Usage:       "(agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.",
 		Destination: &AgentConfig.ProtectKernelDefaults,
 	}
+	SELinuxFlag = cli.BoolFlag{
+		Name:        "selinux",
+		Usage:       "(agent/node) Enable SELinux in containerd",
+		Hidden:      false,
+		Destination: &AgentConfig.EnableSELinux,
+		EnvVars:     []string{version.ProgramUpper + "_SELINUX"},
+	}
 )
 
+func CheckSELinuxFlags(ctx *cli.Context) error {
+	disable, enable := DisableSELinuxFlag.Name, SELinuxFlag.Name
+	switch {
+	case ctx.IsSet(disable) && ctx.IsSet(enable):
+		return errors.Errorf("--%s is deprecated in favor of --%s to affirmatively enable it in containerd", disable, enable)
+	case ctx.IsSet(disable):
+		AgentConfig.EnableSELinux = !ctx.Bool(disable)
+	}
+	return nil
+}
 func NewAgentCommand(action func(ctx *cli.Context) error) *cli.Command {
 	return &cli.Command{
 		Name:      "agent",
 		Usage:     "Run node agent",
 		UsageText: appName + " agent [OPTIONS]",
-		Before:    DebugContext(cli.InitAllInputSource(altsrc.NewConfigFromFlag(ConfigFlag.Name))),
+		Before: func(ctx *cli.Context) error {
-		Action:    InitLogging(action),
+			if err := CheckSELinuxFlags(ctx); err != nil {
+				return err
+			}
+			return DebugContext(cli.InitAllInputSource(altsrc.NewConfigFromFlag(ConfigFlag.Name)))(ctx)
+		},
+		Action: InitLogging(action),
 		Flags: []cli.Flag{
 			&ConfigFlag,
 			&DebugFlag,
@@ -194,7 +217,6 @@ func NewAgentCommand(action func(ctx *cli.Context) error) *cli.Command {
 			&NodeLabels,
 			&NodeTaints,
 			&DockerFlag,
-			&DisableSELinuxFlag,
 			&CRIEndpointFlag,
 			&PauseImageFlag,
 			&SnapshotterFlag,
@@ -212,9 +234,11 @@ func NewAgentCommand(action func(ctx *cli.Context) error) *cli.Command {
 				Usage:       "(experimental) Run rootless",
 				Destination: &AgentConfig.Rootless,
 			},
+			&SELinuxFlag,
 
 			// Deprecated/hidden below
 
+			&DisableSELinuxFlag,
 			&FlannelFlag,
 			&cli.StringFlag{
 				Name:        "cluster-secret",

pkg/cli/cmds/server.go

@@ -63,8 +63,13 @@ func NewServerCommand(action func(*cli.Context) error) *cli.Command {
 		Name:      "server",
 		Usage:     "Run management server",
 		UsageText: appName + " server [OPTIONS]",
-		Before:    DebugContext(cli.InitAllInputSource(altsrc.NewConfigFromFlag(ConfigFlag.Name))),
+		Before: func(ctx *cli.Context) error {
-		Action:    InitLogging(action),
+			if err := CheckSELinuxFlags(ctx); err != nil {
+				return err
+			}
+			return DebugContext(cli.InitAllInputSource(altsrc.NewConfigFromFlag(ConfigFlag.Name)))(ctx)
+		},
+		Action: InitLogging(action),
 		Flags: []cli.Flag{
 			&ConfigFlag,
 			&DebugFlag,
@@ -235,7 +240,6 @@ func NewServerCommand(action func(*cli.Context) error) *cli.Command {
 			&NodeLabels,
 			&NodeTaints,
 			&DockerFlag,
-			&DisableSELinuxFlag,
 			&CRIEndpointFlag,
 			&PauseImageFlag,
 			&SnapshotterFlag,
@@ -290,9 +294,11 @@ func NewServerCommand(action func(*cli.Context) error) *cli.Command {
 				Usage:       "(experimental) Enable Secret encryption at rest",
 				Destination: &ServerConfig.EncryptSecrets,
 			},
+			&SELinuxFlag,
 
 			// Hidden/Deprecated flags below
 
+			&DisableSELinuxFlag,
 			&FlannelFlag,
 			&cli.StringSliceFlag{
 				Name:  "no-deploy",

pkg/daemons/config/types.go

@@ -26,7 +26,7 @@ type Node struct {
 	Docker                   bool
 	ContainerRuntimeEndpoint string
 	NoFlannel                bool
-	DisableSELinux           bool
+	SELinux                  bool
 	FlannelBackend           string
 	FlannelConf              string
 	FlannelConfOverride      bool
@@ -46,6 +46,7 @@ type Containerd struct {
 	Config   string
 	Opt      string
 	Template string
+	SELinux  bool
 }
 
 type Agent struct {