RKE2 can be run on SELinux-enabled systems which is the default when installed on CentOS/RHEL 7 & 8. The policy supporting this is a specialization of the container-selinux policy for containerd. It accounts for the non-standard location(s) which containerd is installed and places persistent and ephemeral state.
Custom Context Labels¶
RKE2 runs control-plane services as static pods which require access to multiple
etcd container must be able to read-write under
/var/lib/rancher/rke2/server/db and read,
To make this work without over-privileging, e.g.,
spc_t, the RKE2 SELinux policy
rke2_service_t context labels for
read-write and read-only access, respectively. These labels will only be applied to the RKE2 control-plane static pods.
RKE2 support for SELinux amounts to a single configuration item, the
--selinux boolean flag. This is a pass-through
enable_selinux boolean in the cri section of the containerd/cri toml.
If RKE2 was installed via tarball then SELinux will not be enabled without additional configuration. The recommended
method to configure such is via an entry in the RKE2
# /etc/rancher/rke2/config.yaml is the default location selinux: true
This is equivalent to passing the
--selinux flag to
rke2 server or
rke2 agent command-line or setting the
RKE2_SELINUX=true environment variable.