Skip to content

Update readme about nri.sock and SELinux #219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update readme about nri.sock and SELinux #219

wants to merge 1 commit into from

Conversation

@ngopalak-redhat
Copy link
Contributor

In environments like OpenShift, its required to configure SELinux in security context. Hence added a small readme update.

@ngopalak-redhat
Update readme about nri.sock and SELinux
8e5f0d5 
Signed-off-by: Neeraj Krishna Gopalakrishna <[email protected]>
klihub
klihub approved these changes Aug 29, 2025
View reviewed changes
Copy link
Member

@klihub klihub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you ! LGTM.

@klihub klihub requested a review from chrishenzie August 29, 2025 06:21
mikebrow
mikebrow reviewed Sep 10, 2025
View reviewed changes
Copy link
Member

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggest adding a couple sentences that describes the expected error that will get generated and what the problem is... volume mounting a host level socket between the pod and the container runtime..

This way seems like a big hammer.. is there any other way to make it work? selinux mount label maybe?

README.md
and [best practices](https://kubernetes.io/docs/setup/best-practices/enforcing-pod-security-standards/)
about Kubernetes security.

To use the plugins in SELinux-enabled environments, either create a new policy
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
To use the plugins in SELinux-enabled environments, either create a new policy
One expected path for running NRI plugins is to run them as a pod/container in a daemonset on each of the nodes of a cluster.
### SELinux enabled environments
NOTE: To run the plugins, as a pod, in `SELinux-enabled` environments the kubernetes security level assigned to the pod MUST

pod security policies have been deprecated .. they've become levels assigned or via controller.. it's confusing :-)

README.md
about Kubernetes security.

To use the plugins in SELinux-enabled environments, either create a new policy
or set the SELinux type to spc_t (Super Privileged Container) in the pod's security
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
or set the SELinux type to spc_t (Super Privileged Container) in the pod's security
set the SELinux type label to spc_t (Super Privileged Container) in the pod's security

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mikebrow mikebrow mikebrow left review comments

@klihub klihub klihub approved these changes

@chrishenzie chrishenzie Awaiting requested review from chrishenzie

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ngopalak-redhat @klihub @mikebrow