├── .gitignore
├── .github
└── dependabot.yml
├── policy
├── centos7
│ ├── scripts
│ │ ├── entry
│ │ ├── build
│ │ ├── sign
│ │ ├── version
│ │ └── upload-repo
│ ├── k3s.if
│ ├── k3s.te
│ ├── k3s-selinux.spec
│ └── k3s.fc
├── centos8
│ ├── scripts
│ │ ├── entry
│ │ ├── build
│ │ ├── sign
│ │ ├── version
│ │ └── upload-repo
│ ├── k3s.if
│ ├── k3s.te
│ ├── k3s-selinux.spec
│ └── k3s.fc
├── centos9
│ ├── scripts
│ │ ├── entry
│ │ ├── build
│ │ ├── sign
│ │ ├── version
│ │ └── upload-repo
│ ├── k3s.if
│ ├── k3s.te
│ ├── k3s-selinux.spec
│ └── k3s.fc
├── coreos
│ ├── scripts
│ │ ├── entry
│ │ ├── build
│ │ ├── sign
│ │ ├── version
│ │ └── upload-repo
│ ├── k3s.if
│ ├── k3s.te
│ ├── k3s-selinux.spec
│ └── k3s.fc
├── microos
│ ├── scripts
│ │ ├── entry
│ │ ├── build
│ │ ├── sign
│ │ ├── version
│ │ └── upload-repo
│ ├── k3s.if
│ ├── k3s.te
│ ├── k3s-selinux.spec
│ └── k3s.fc
└── slemicro
│ ├── scripts
│ ├── entry
│ ├── build
│ ├── sign
│ ├── version
│ └── upload-repo
│ ├── k3s.if
│ ├── k3s.te
│ ├── k3s-selinux.spec
│ └── k3s.fc
├── Dockerfile.centos9.dapper
├── Dockerfile.coreos.dapper
├── Dockerfile.centos8.dapper
├── Dockerfile.microos.dapper
├── Dockerfile.slemicro.dapper
├── Dockerfile.centos7.dapper
├── Makefile
├── README.md
├── test
├── centos8
│ └── Vagrantfile
└── fedora34
│ └── Vagrantfile
├── LICENSE
└── .drone.yml
/.gitignore:
--------------------------------------------------------------------------------
1 | /dist
2 | .dapper
3 |
--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
1 | ---
2 | version: 2
3 | updates:
4 | - package-ecosystem: "docker"
5 | directory: "/"
6 | reviewers:
7 | - "k3s-io/k3s-dev"
8 | schedule:
9 | interval: "monthly"
10 |
--------------------------------------------------------------------------------
/policy/centos7/scripts/entry:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | set -ex
3 |
4 | if [ -e ./policy/centos7/scripts/"$1" ]; then
5 | ./policy/centos7/scripts/"$@"
6 | else
7 | exec "$@"
8 | fi
9 |
10 | if [ "$DAPPER_UID" -ne "-1" ]; then
11 | chown -R $DAPPER_UID:$DAPPER_GID .
12 | fi
13 |
--------------------------------------------------------------------------------
/policy/centos8/scripts/entry:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | set -ex
3 |
4 | if [ -e ./policy/centos8/scripts/"$1" ]; then
5 | ./policy/centos8/scripts/"$@"
6 | else
7 | exec "$@"
8 | fi
9 |
10 | if [ "$DAPPER_UID" -ne "-1" ]; then
11 | chown -R $DAPPER_UID:$DAPPER_GID .
12 | fi
13 |
--------------------------------------------------------------------------------
/policy/centos9/scripts/entry:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | set -ex
3 |
4 | if [ -e ./policy/centos9/scripts/"$1" ]; then
5 | ./policy/centos9/scripts/"$@"
6 | else
7 | exec "$@"
8 | fi
9 |
10 | if [ "$DAPPER_UID" -ne "-1" ]; then
11 | chown -R $DAPPER_UID:$DAPPER_GID .
12 | fi
13 |
--------------------------------------------------------------------------------
/policy/coreos/scripts/entry:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | set -ex
3 |
4 | if [ -e ./policy/coreos/scripts/"$1" ]; then
5 | ./policy/coreos/scripts/"$@"
6 | else
7 | exec "$@"
8 | fi
9 |
10 | if [ "$DAPPER_UID" -ne "-1" ]; then
11 | chown -R $DAPPER_UID:$DAPPER_GID .
12 | fi
13 |
--------------------------------------------------------------------------------
/policy/microos/scripts/entry:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | set -ex
3 |
4 | if [ -e ./policy/microos/scripts/"$1" ]; then
5 | ./policy/microos/scripts/"$@"
6 | else
7 | exec "$@"
8 | fi
9 |
10 | if [ "$DAPPER_UID" -ne "-1" ]; then
11 | chown -R $DAPPER_UID:$DAPPER_GID .
12 | fi
13 |
--------------------------------------------------------------------------------
/policy/slemicro/scripts/entry:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | set -ex
3 |
4 | if [ -e ./policy/slemicro/scripts/"$1" ]; then
5 | ./policy/slemicro/scripts/"$@"
6 | else
7 | exec "$@"
8 | fi
9 |
10 | if [ "$DAPPER_UID" -ne "-1" ]; then
11 | chown -R $DAPPER_UID:$DAPPER_GID .
12 | fi
13 |
--------------------------------------------------------------------------------
/Dockerfile.centos9.dapper:
--------------------------------------------------------------------------------
1 | FROM quay.io/centos/centos:stream9
2 |
3 | RUN yum install -y epel-release \
4 | && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils
5 |
6 | ENV DAPPER_SOURCE /source
7 | ENV DAPPER_OUTPUT ./dist
8 | ENV DAPPER_ENV COMBARCH DRONE_TAG TAG
9 | ENV HOME ${DAPPER_SOURCE}
10 | WORKDIR ${DAPPER_SOURCE}
11 |
12 | ENTRYPOINT ["./policy/centos9/scripts/entry"]
13 |
--------------------------------------------------------------------------------
/Dockerfile.coreos.dapper:
--------------------------------------------------------------------------------
1 | FROM fedora:40
2 |
3 | RUN find /etc/yum.repos.d -type f -name '*.repo' -exec \
4 | sed -i -e '/mirrorlist.*/d' -e 's%#baseurl=http://mirror.centos.org%baseurl=http://vault.centos.org%g' {} \;
5 | RUN yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils
6 |
7 | ENV DAPPER_SOURCE /source
8 | ENV DAPPER_OUTPUT ./dist
9 | ENV DAPPER_ENV COMBARCH DRONE_TAG TAG
10 | ENV HOME ${DAPPER_SOURCE}
11 | WORKDIR ${DAPPER_SOURCE}
12 |
13 | ENTRYPOINT ["./policy/coreos/scripts/entry"]
14 |
--------------------------------------------------------------------------------
/Dockerfile.centos8.dapper:
--------------------------------------------------------------------------------
1 | FROM centos:8
2 |
3 | RUN find /etc/yum.repos.d -type f -name '*.repo' -exec \
4 | sed -i -e '/mirrorlist.*/d' -e 's%#baseurl=http://mirror.centos.org%baseurl=http://vault.centos.org%g' {} \;
5 | RUN yum install -y epel-release \
6 | && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils
7 |
8 | ENV DAPPER_SOURCE /source
9 | ENV DAPPER_OUTPUT ./dist
10 | ENV DAPPER_ENV COMBARCH DRONE_TAG TAG
11 | ENV HOME ${DAPPER_SOURCE}
12 | WORKDIR ${DAPPER_SOURCE}
13 |
14 | ENTRYPOINT ["./policy/centos8/scripts/entry"]
15 |
--------------------------------------------------------------------------------
/Dockerfile.microos.dapper:
--------------------------------------------------------------------------------
1 | ARG TUMBLEWEED=opensuse/tumbleweed
2 | FROM ${TUMBLEWEED}
3 | ADD https://github.com/AkihiroSuda/clone3-workaround/releases/download/v1.0.0/clone3-workaround.x86_64 /bin/clone3-workaround
4 | RUN chmod +x /bin/clone3-workaround
5 | SHELL ["clone3-workaround", "/usr/bin/env", "bash","-c"]
6 | RUN zypper install -y container-selinux git rpm-build selinux-policy-devel
7 |
8 |
9 | ENV DAPPER_SOURCE /source
10 | ENV DAPPER_OUTPUT ./dist
11 | ENV DAPPER_ENV COMBARCH DRONE_TAG TAG
12 | ENV HOME ${DAPPER_SOURCE}
13 | WORKDIR ${DAPPER_SOURCE}
14 |
15 | ENTRYPOINT ["clone3-workaround", "./policy/microos/scripts/entry"]
16 |
--------------------------------------------------------------------------------
/Dockerfile.slemicro.dapper:
--------------------------------------------------------------------------------
1 | ARG TUMBLEWEED=opensuse/tumbleweed
2 | FROM ${TUMBLEWEED}
3 | ADD https://github.com/AkihiroSuda/clone3-workaround/releases/download/v1.0.0/clone3-workaround.x86_64 /bin/clone3-workaround
4 | RUN chmod +x /bin/clone3-workaround
5 | SHELL ["clone3-workaround", "/usr/bin/env", "bash","-c"]
6 | RUN zypper install -y container-selinux git rpm-build selinux-policy-devel
7 |
8 |
9 | ENV DAPPER_SOURCE /source
10 | ENV DAPPER_OUTPUT ./dist
11 | ENV DAPPER_ENV COMBARCH DRONE_TAG TAG
12 | ENV HOME ${DAPPER_SOURCE}
13 | WORKDIR ${DAPPER_SOURCE}
14 |
15 | ENTRYPOINT ["clone3-workaround", "./policy/slemicro/scripts/entry"]
16 |
--------------------------------------------------------------------------------
/policy/centos7/k3s.if:
--------------------------------------------------------------------------------
1 | #######################################################################
2 | ##
3 | ## Creates types and rules for a k3s runtime domain.
4 | ##
5 | ##
6 | ##
7 | ## Prefix for the domain.
8 | ##
9 | ##
10 | #
11 | template(`k3s_runtime_domain_template',`
12 | gen_require(`
13 | attribute container_domain, exec_type;
14 | role system_r, sysadm_r;
15 | ')
16 |
17 | attribute $1_domain;
18 | type $1_t, $1_domain;
19 | role system_r types $1_t;
20 | role sysadm_r types $1_t;
21 |
22 | can_exec($1_t, exec_type)
23 | domain_type($1_t)
24 | domain_entry_file($1_domain, $1_t)
25 |
26 | admin_pattern(container_domain, $1_t)
27 | ')
28 |
--------------------------------------------------------------------------------
/policy/centos8/k3s.if:
--------------------------------------------------------------------------------
1 | #######################################################################
2 | ##
3 | ## Creates types and rules for a k3s runtime domain.
4 | ##
5 | ##
6 | ##
7 | ## Prefix for the domain.
8 | ##
9 | ##
10 | #
11 | template(`k3s_runtime_domain_template',`
12 | gen_require(`
13 | attribute container_runtime_domain, exec_type;
14 | role system_r, sysadm_r;
15 | ')
16 |
17 | attribute $1_domain;
18 | type $1_t, $1_domain;
19 | role system_r types $1_t;
20 | role sysadm_r types $1_t;
21 |
22 | can_exec($1_t, exec_type)
23 | domain_type($1_t)
24 | domain_entry_file($1_domain, $1_t)
25 |
26 | admin_pattern(container_runtime_domain, $1_t)
27 | ')
28 |
--------------------------------------------------------------------------------
/policy/centos9/k3s.if:
--------------------------------------------------------------------------------
1 | #######################################################################
2 | ##
3 | ## Creates types and rules for a k3s runtime domain.
4 | ##
5 | ##
6 | ##
7 | ## Prefix for the domain.
8 | ##
9 | ##
10 | #
11 | template(`k3s_runtime_domain_template',`
12 | gen_require(`
13 | attribute container_runtime_domain, exec_type;
14 | role system_r, sysadm_r;
15 | ')
16 |
17 | attribute $1_domain;
18 | type $1_t, $1_domain;
19 | role system_r types $1_t;
20 | role sysadm_r types $1_t;
21 |
22 | can_exec($1_t, exec_type)
23 | domain_type($1_t)
24 | domain_entry_file($1_domain, $1_t)
25 |
26 | admin_pattern(container_runtime_domain, $1_t)
27 | ')
28 |
--------------------------------------------------------------------------------
/policy/coreos/k3s.if:
--------------------------------------------------------------------------------
1 | #######################################################################
2 | ##
3 | ## Creates types and rules for a k3s runtime domain.
4 | ##
5 | ##
6 | ##
7 | ## Prefix for the domain.
8 | ##
9 | ##
10 | #
11 | template(`k3s_runtime_domain_template',`
12 | gen_require(`
13 | attribute container_runtime_domain, exec_type;
14 | role system_r, sysadm_r;
15 | ')
16 |
17 | attribute $1_domain;
18 | type $1_t, $1_domain;
19 | role system_r types $1_t;
20 | role sysadm_r types $1_t;
21 |
22 | can_exec($1_t, exec_type)
23 | domain_type($1_t)
24 | domain_entry_file($1_domain, $1_t)
25 |
26 | admin_pattern(container_runtime_domain, $1_t)
27 | ')
28 |
--------------------------------------------------------------------------------
/policy/microos/k3s.if:
--------------------------------------------------------------------------------
1 | #######################################################################
2 | ##
3 | ## Creates types and rules for a k3s runtime domain.
4 | ##
5 | ##
6 | ##
7 | ## Prefix for the domain.
8 | ##
9 | ##
10 | #
11 | template(`k3s_runtime_domain_template',`
12 | gen_require(`
13 | attribute container_runtime_domain, exec_type;
14 | role system_r, sysadm_r;
15 | ')
16 |
17 | attribute $1_domain;
18 | type $1_t, $1_domain;
19 | role system_r types $1_t;
20 | role sysadm_r types $1_t;
21 |
22 | can_exec($1_t, exec_type)
23 | domain_type($1_t)
24 | domain_entry_file($1_domain, $1_t)
25 |
26 | admin_pattern(container_runtime_domain, $1_t)
27 | ')
28 |
--------------------------------------------------------------------------------
/policy/slemicro/k3s.if:
--------------------------------------------------------------------------------
1 | #######################################################################
2 | ##
3 | ## Creates types and rules for a k3s runtime domain.
4 | ##
5 | ##
6 | ##
7 | ## Prefix for the domain.
8 | ##
9 | ##
10 | #
11 | template(`k3s_runtime_domain_template',`
12 | gen_require(`
13 | attribute container_runtime_domain, exec_type;
14 | role system_r, sysadm_r;
15 | ')
16 |
17 | attribute $1_domain;
18 | type $1_t, $1_domain;
19 | role system_r types $1_t;
20 | role sysadm_r types $1_t;
21 |
22 | can_exec($1_t, exec_type)
23 | domain_type($1_t)
24 | domain_entry_file($1_domain, $1_t)
25 |
26 | admin_pattern(container_runtime_domain, $1_t)
27 | ')
28 |
--------------------------------------------------------------------------------
/policy/coreos/scripts/build:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e -x
3 |
4 | cd $(dirname $0)/..
5 | . ./scripts/version
6 |
7 | make -f /usr/share/selinux/devel/Makefile k3s.pp
8 |
9 | rpmbuild \
10 | --define "k3s_selinux_version ${RPM_VERSION}" \
11 | --define "k3s_selinux_release ${RPM_RELEASE}" \
12 | --define "_sourcedir $PWD" \
13 | --define "_specdir $PWD" \
14 | --define "_builddir $PWD" \
15 | --define "_srcrpmdir ${PWD}/dist/source" \
16 | --define "_buildrootdir $PWD/.build" \
17 | --define "_rpmdir ${PWD}/dist" \
18 | -ba k3s-selinux.spec
19 |
20 | #dnf install -y dist/noarch/k3s-selinux-*.rpm
21 | #semodule --disable k3s
22 | #dnf remove k3s-selinux
23 | mkdir -p /source/dist/coreos
24 | cp -r dist/* /source/dist/coreos
25 |
--------------------------------------------------------------------------------
/policy/centos7/scripts/build:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e -x
3 |
4 | cd $(dirname $0)/..
5 | . ./scripts/version
6 |
7 | make -f /usr/share/selinux/devel/Makefile k3s.pp
8 |
9 | rpmbuild \
10 | --define "k3s_selinux_version ${RPM_VERSION}" \
11 | --define "k3s_selinux_release ${RPM_RELEASE}" \
12 | --define "_sourcedir $PWD" \
13 | --define "_specdir $PWD" \
14 | --define "_builddir $PWD" \
15 | --define "_srcrpmdir ${PWD}/dist/source" \
16 | --define "_buildrootdir $PWD/.build" \
17 | --define "_rpmdir ${PWD}/dist" \
18 | -ba k3s-selinux.spec
19 |
20 | #yum install -y dist/noarch/k3s-selinux-*.rpm
21 | #semodule --disable k3s
22 | #yum remove k3s-selinux
23 | mkdir -p /source/dist/centos7
24 | cp -r dist/* /source/dist/centos7
25 |
--------------------------------------------------------------------------------
/policy/centos8/scripts/build:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e -x
3 |
4 | cd $(dirname $0)/..
5 | . ./scripts/version
6 |
7 | make -f /usr/share/selinux/devel/Makefile k3s.pp
8 |
9 | rpmbuild \
10 | --define "k3s_selinux_version ${RPM_VERSION}" \
11 | --define "k3s_selinux_release ${RPM_RELEASE}" \
12 | --define "_sourcedir $PWD" \
13 | --define "_specdir $PWD" \
14 | --define "_builddir $PWD" \
15 | --define "_srcrpmdir ${PWD}/dist/source" \
16 | --define "_buildrootdir $PWD/.build" \
17 | --define "_rpmdir ${PWD}/dist" \
18 | -ba k3s-selinux.spec
19 |
20 | #dnf install -y dist/noarch/k3s-selinux-*.rpm
21 | #semodule --disable k3s
22 | #dnf remove k3s-selinux
23 | mkdir -p /source/dist/centos8
24 | cp -r dist/* /source/dist/centos8
25 |
--------------------------------------------------------------------------------
/policy/centos9/scripts/build:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e -x
3 |
4 | cd $(dirname $0)/..
5 | . ./scripts/version
6 |
7 | make -f /usr/share/selinux/devel/Makefile k3s.pp
8 |
9 | rpmbuild \
10 | --define "k3s_selinux_version ${RPM_VERSION}" \
11 | --define "k3s_selinux_release ${RPM_RELEASE}" \
12 | --define "_sourcedir $PWD" \
13 | --define "_specdir $PWD" \
14 | --define "_builddir $PWD" \
15 | --define "_srcrpmdir ${PWD}/dist/source" \
16 | --define "_buildrootdir $PWD/.build" \
17 | --define "_rpmdir ${PWD}/dist" \
18 | -ba k3s-selinux.spec
19 |
20 | #dnf install -y dist/noarch/k3s-selinux-*.rpm
21 | #semodule --disable k3s
22 | #dnf remove k3s-selinux
23 | mkdir -p /source/dist/centos9
24 | cp -r dist/* /source/dist/centos9
25 |
--------------------------------------------------------------------------------
/policy/microos/scripts/build:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e -x
3 |
4 | cd $(dirname $0)/..
5 | . ./scripts/version
6 |
7 | make -f /usr/share/selinux/devel/Makefile k3s.pp
8 |
9 | rpmbuild \
10 | --define "k3s_selinux_version ${RPM_VERSION}" \
11 | --define "k3s_selinux_release ${RPM_RELEASE}" \
12 | --define "_sourcedir $PWD" \
13 | --define "_specdir $PWD" \
14 | --define "_builddir $PWD" \
15 | --define "_srcrpmdir ${PWD}/dist/source" \
16 | --define "_buildrootdir $PWD/.build" \
17 | --define "_rpmdir ${PWD}/dist" \
18 | -ba k3s-selinux.spec
19 |
20 | #zypper install -y --allow-unsigned-rpm dist/noarch/*.rpm
21 | #semodule --disable k3s
22 | #zypper remove k3s-selinux
23 | mkdir -p /source/dist/microos
24 | cp -r dist/* /source/dist/microos
25 |
--------------------------------------------------------------------------------
/policy/slemicro/scripts/build:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e -x
3 |
4 | cd $(dirname $0)/..
5 | . ./scripts/version
6 |
7 | make -f /usr/share/selinux/devel/Makefile k3s.pp
8 |
9 | rpmbuild \
10 | --define "k3s_selinux_version ${RPM_VERSION}" \
11 | --define "k3s_selinux_release ${RPM_RELEASE}" \
12 | --define "_sourcedir $PWD" \
13 | --define "_specdir $PWD" \
14 | --define "_builddir $PWD" \
15 | --define "_srcrpmdir ${PWD}/dist/source" \
16 | --define "_buildrootdir $PWD/.build" \
17 | --define "_rpmdir ${PWD}/dist" \
18 | -ba k3s-selinux.spec
19 |
20 | #zypper install -y --allow-unsigned-rpm dist/noarch/*.rpm
21 | #semodule --disable k3s
22 | #zypper remove k3s-selinux
23 | mkdir -p /source/dist/slemicro
24 | cp -r dist/* /source/dist/slemicro
25 |
--------------------------------------------------------------------------------
/Dockerfile.centos7.dapper:
--------------------------------------------------------------------------------
1 | FROM centos:7
2 |
3 | RUN sed -i -e "s/mirrorlist.*//g" /etc/yum.repos.d/*
4 | RUN sed -i -e "s/#baseurl=http:\/\/mirror.centos.org/baseurl=http:\/\/linuxsoft.cern.ch\/centos-vault\//g" /etc/yum.repos.d/*
5 |
6 | RUN yum install -y epel-release \
7 | && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils
8 |
9 | ENV DAPPER_SOURCE /source
10 | ENV DAPPER_OUTPUT ./dist
11 | ENV DAPPER_ENV COMBARCH DRONE_TAG TAG PRIVATE_KEY PRIVATE_KEY_PASS_PHRASE TESTING_PRIVATE_KEY TESTING_PRIVATE_KEY_PASS_PHRASE AWS_S3_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY TESTING_AWS_S3_BUCKET TESTING_AWS_ACCESS_KEY_ID TESTING_AWS_SECRET_ACCESS_KEY
12 | ENV HOME ${DAPPER_SOURCE}
13 | WORKDIR ${DAPPER_SOURCE}
14 |
15 | ENTRYPOINT ["./policy/centos7/scripts/entry"]
16 |
--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | UPLOAD_TARGETS := $(addprefix upload-,$(shell ls policy/))
2 | BUILD_TARGETS := $(addprefix build-,$(shell ls policy/))
3 | SIGN_TARGETS := $(addprefix sign-,$(shell ls policy/))
4 | .dapper:
5 | @echo Downloading dapper
6 | @curl -sL https://releases.rancher.com/dapper/latest/dapper-$$(uname -s)-$$(uname -m) > .dapper.tmp
7 | @@chmod +x .dapper.tmp
8 | @./.dapper.tmp -v
9 | @mv .dapper.tmp .dapper
10 |
11 | $(BUILD_TARGETS): .dapper
12 | ./.dapper -f Dockerfile.$(@:build-%=%).dapper ./policy/$(@:build-%=%)/scripts/build
13 |
14 | $(SIGN_TARGETS): .dapper
15 | ./.dapper -f Dockerfile.centos7.dapper ./policy/$(@:sign-%=%)/scripts/sign
16 |
17 | $(UPLOAD_TARGETS): .dapper
18 | ./.dapper -f Dockerfile.centos7.dapper ./policy/$(@:upload-%=%)/scripts/upload-repo
19 |
20 | clean:
21 | rm -rf dist/ Dockerfile.*.dapper[0-9]*
22 |
23 | .PHONY: $(UPLOAD_TARGETS) $(BUILD_TARGETS) $(SIGN_TARGETS) clean
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # k3s-selinux
2 | K3s selinux policy repository.
3 |
4 | ## Signing Keys
5 |
6 | - https://rpm.rancher.io/public.key
7 | - https://rpm-testing.rancher.io/public.key
8 |
9 | ## Versioning/Tagging
10 |
11 | The version parsing logic for `rancher/k3s-selinux` expects tags to be of a certain format (that directly correlates to RPM naming)
12 |
13 | The tag format should be as follows: `v{k3s-selinux-version}.{rpm channel}.{rpm release}` where
14 |
15 | k3s-selinux-version is like `0.1`, `0.2`, etc.
16 | rpm channel is like `testing`, `latest`, `stable`
17 | rpm release is like `1`, `2`
18 |
19 | rpm release should index from `1` for released RPM's
20 |
21 | The following list shows the expected tag to (example) transformation for RPM's
22 |
23 | |Tag|Tree State|Output RPM|RPM Channel|Notes|
24 | |:--|:---------|:---------|:----------|:----|
25 | | master (no tag) | Clean | `k3s-selinux-0.0~0d52f7d8-0.el7_8.noarch.rpm` | Testing ||
26 | | master (no tag) | Dirty | `k3s-selinux-0.0~0d52f7d8-0.el7_8.noarch.rpm` | Testing ||
27 | | v0.2.testing.1 | Clean | `k3s-selinux-0.2-1.el7_8.noarch.rpm` | Testing ||
28 | | v0.2.latest.1 | Clean | `k3s-selinux-0.2-1.el7_8.noarch.rpm` | Latest ||
29 | | v0.2.latest.2 | Clean | `k3s-selinux-0.2-2.el7_8.noarch.rpm` | Latest ||
30 |
--------------------------------------------------------------------------------
/test/centos8/Vagrantfile:
--------------------------------------------------------------------------------
1 | # -*- mode: ruby -*-
2 | # vi: set ft=ruby :
3 |
4 | Vagrant.configure("2") do |config|
5 | config.vagrant.plugins = ["vagrant-k3s"]
6 |
7 | config.vm.box = "centos/stream8"
8 |
9 | %w[hyperv libvirt virtualbox vmware_desktop].each do |p|
10 | config.vm.provider p do |v, o|
11 | v.memory = "2048"
12 | v.cpus = 2
13 | end
14 | end
15 |
16 | config.vm.synced_folder '.', '/vagrant', disabled: true
17 | config.vm.synced_folder '../../dist/centos8/noarch', '/vagrant/dist', type: 'rsync'
18 |
19 | # config.vm.provision :shell, run: 'once', inline: 'set -x; dnf install -y https://github.com/k3s-io/k3s-selinux/releases/download/v0.4.stable.1/k3s-selinux-0.4-1.el8.noarch.rpm'
20 | config.vm.provision :shell, run: 'once' do |sh|
21 | sh.inline = <<~EOF
22 | #!/usr/bin/env bash
23 | set -eux -o pipefail
24 | dnf install -y \
25 | /vagrant/dist/k3s-selinux-*.el8.noarch.rpm
26 | EOF
27 | end
28 |
29 | # vagrant [up|provision] --provision-with=k3s
30 | config.vm.provision :k3s, run: 'once' do |k3s|
31 | k3s.config_mode = '0644'
32 | k3s.env = <<~ENV
33 | INSTALL_K3S_NAME=server
34 | INSTALL_K3S_SKIP_SELINUX_RPM=true
35 | INSTALL_K3S_CHANNEL=v1.21
36 | K3S_KUBECONFIG_MODE=0644
37 | K3S_SELINUX=true
38 | K3S_TOKEN=vagrant
39 | ENV
40 | end
41 | end
42 |
--------------------------------------------------------------------------------
/test/fedora34/Vagrantfile:
--------------------------------------------------------------------------------
1 | # -*- mode: ruby -*-
2 | # vi: set ft=ruby :
3 |
4 | Vagrant.configure("2") do |config|
5 | config.vagrant.plugins = ["vagrant-k3s"]
6 |
7 | config.vm.box = "fedora/34-cloud-base"
8 |
9 | %w[hyperv libvirt virtualbox vmware_desktop].each do |p|
10 | config.vm.provider p do |v, o|
11 | v.memory = "2048"
12 | v.cpus = 2
13 | end
14 | end
15 |
16 | config.vm.synced_folder '.', '/vagrant', disabled: true
17 | config.vm.synced_folder '../../dist/centos8/noarch', '/vagrant/dist', type: 'rsync'
18 |
19 | config.vm.provision :shell, run: 'once', inline: 'set -x; dnf install -y https://github.com/k3s-io/k3s-selinux/releases/download/v0.4.stable.1/k3s-selinux-0.4-1.el8.noarch.rpm'
20 | config.vm.provision :shell, run: 'once' do |sh|
21 | sh.inline = <<~EOF
22 | #!/usr/bin/env bash
23 | set -eux -o pipefail
24 | dnf install -y \
25 | https://kojipkgs.fedoraproject.org/packages/container-selinux/2.170.0/2.fc34/noarch/container-selinux-2.170.0-2.fc34.noarch.rpm \
26 | /vagrant/dist/k3s-selinux-*.el8.noarch.rpm
27 | EOF
28 | end
29 |
30 | # vagrant [up|provision] --provision-with=k3s
31 | config.vm.provision :k3s, run: 'never' do |k3s|
32 | k3s.env = <<~ENV
33 | INSTALL_K3S_NAME=server
34 | INSTALL_K3S_SKIP_SELINUX_RPM=true
35 | INSTALL_K3S_VERSION=v1.21.5+k3s2
36 | K3S_KUBECONFIG_MODE=0644
37 | K3S_SELINUX=true
38 | K3S_TOKEN=vagrant
39 | ENV
40 | end
41 | end
42 |
--------------------------------------------------------------------------------
/policy/centos7/scripts/sign:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e -x
3 |
4 | yum install -y rpm-sign expect git
5 |
6 | pushd $(dirname $0)/..
7 | . ./scripts/version
8 | popd
9 |
10 | cat <<\EOF >~/.rpmmacros
11 | %_signature gpg
12 | %_gpg_name ci@rancher.com
13 | %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
14 | %_source_filedigest_algorithm 8
15 | %_binary_filedigest_algorithm 8
16 | EOF
17 |
18 | case "$RPM_CHANNEL" in
19 | "testing")
20 | export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
21 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
22 | echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
23 | exit 1
24 | fi
25 | gpg --import - <<<"$TESTING_PRIVATE_KEY"
26 | ;;
27 | "latest"|"stable")
28 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
29 | echo "PRIVATE_KEY not defined, failing rpm sign"
30 | exit 1
31 | fi
32 | gpg --import - <<<"$PRIVATE_KEY"
33 | ;;
34 | *)
35 | echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
36 | exit 1
37 | ;;
38 | esac
39 |
40 | expect <~/.rpmmacros
11 | %_signature gpg
12 | %_gpg_name ci@rancher.com
13 | %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
14 | %_source_filedigest_algorithm 8
15 | %_binary_filedigest_algorithm 8
16 | EOF
17 |
18 | case "$RPM_CHANNEL" in
19 | "testing")
20 | export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
21 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
22 | echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
23 | exit 1
24 | fi
25 | gpg --import - <<<"$TESTING_PRIVATE_KEY"
26 | ;;
27 | "latest"|"stable")
28 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
29 | echo "PRIVATE_KEY not defined, failing rpm sign"
30 | exit 1
31 | fi
32 | gpg --import - <<<"$PRIVATE_KEY"
33 | ;;
34 | *)
35 | echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
36 | exit 1
37 | ;;
38 | esac
39 |
40 | expect <~/.rpmmacros
11 | %_signature gpg
12 | %_gpg_name ci@rancher.com
13 | %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
14 | %_source_filedigest_algorithm 8
15 | %_binary_filedigest_algorithm 8
16 | EOF
17 |
18 | case "$RPM_CHANNEL" in
19 | "testing")
20 | export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
21 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
22 | echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
23 | exit 1
24 | fi
25 | gpg --import - <<<"$TESTING_PRIVATE_KEY"
26 | ;;
27 | "latest"|"stable")
28 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
29 | echo "PRIVATE_KEY not defined, failing rpm sign"
30 | exit 1
31 | fi
32 | gpg --import - <<<"$PRIVATE_KEY"
33 | ;;
34 | *)
35 | echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
36 | exit 1
37 | ;;
38 | esac
39 |
40 | expect <~/.rpmmacros
11 | %_signature gpg
12 | %_gpg_name ci@rancher.com
13 | %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
14 | %_source_filedigest_algorithm 8
15 | %_binary_filedigest_algorithm 8
16 | EOF
17 |
18 | case "$RPM_CHANNEL" in
19 | "testing")
20 | export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
21 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
22 | echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
23 | exit 1
24 | fi
25 | gpg --import - <<<"$TESTING_PRIVATE_KEY"
26 | ;;
27 | "latest"|"stable")
28 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
29 | echo "PRIVATE_KEY not defined, failing rpm sign"
30 | exit 1
31 | fi
32 | gpg --import - <<<"$PRIVATE_KEY"
33 | ;;
34 | *)
35 | echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
36 | exit 1
37 | ;;
38 | esac
39 |
40 | expect <~/.rpmmacros
11 | %_signature gpg
12 | %_gpg_name ci@rancher.com
13 | %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
14 | %_source_filedigest_algorithm 8
15 | %_binary_filedigest_algorithm 8
16 | EOF
17 |
18 | case "$RPM_CHANNEL" in
19 | "testing")
20 | export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
21 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
22 | echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
23 | exit 1
24 | fi
25 | gpg --import - <<<"$TESTING_PRIVATE_KEY"
26 | ;;
27 | "latest"|"stable")
28 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
29 | echo "PRIVATE_KEY not defined, failing rpm sign"
30 | exit 1
31 | fi
32 | gpg --import - <<<"$PRIVATE_KEY"
33 | ;;
34 | *)
35 | echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
36 | exit 1
37 | ;;
38 | esac
39 |
40 | expect <~/.rpmmacros
11 | %_signature gpg
12 | %_gpg_name ci@rancher.com
13 | %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
14 | %_source_filedigest_algorithm 8
15 | %_binary_filedigest_algorithm 8
16 | EOF
17 |
18 | case "$RPM_CHANNEL" in
19 | "testing")
20 | export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
21 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
22 | echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
23 | exit 1
24 | fi
25 | gpg --import - <<<"$TESTING_PRIVATE_KEY"
26 | ;;
27 | "latest"|"stable")
28 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
29 | echo "PRIVATE_KEY not defined, failing rpm sign"
30 | exit 1
31 | fi
32 | gpg --import - <<<"$PRIVATE_KEY"
33 | ;;
34 | *)
35 | echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
36 | exit 1
37 | ;;
38 | esac
39 |
40 | expect <
27 |
28 | Group: System Environment/Base
29 | License: Apache-2.0
30 | URL: https://k3s.io
31 | Source0: k3s.pp
32 | Source1: k3s.if
33 |
34 | BuildArch: noarch
35 | BuildRequires: container-selinux >= %{container_policyver}
36 | BuildRequires: git
37 | BuildRequires: selinux-policy >= %{selinux_policyver}
38 | BuildRequires: selinux-policy-devel >= %{selinux_policyver}
39 |
40 | Requires: policycoreutils, selinux-tools
41 | Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver}
42 | Requires(postun): policycoreutils
43 |
44 | Provides: %{name} = %{version}-%{release}
45 | Obsoletes: k3s-selinux <= 0.5
46 | Conflicts: rke2-selinux
47 |
48 | %description
49 | This package installs and sets up the SELinux policy security module for k3s.
50 |
51 | %install
52 | install -d %{buildroot}%{_datadir}/selinux/packages
53 | install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
54 | install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
55 | install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
56 | install -d %{buildroot}/etc/selinux/targeted/contexts/users/
57 |
58 | %pre
59 | %selinux_relabel_pre
60 |
61 | %post
62 | %selinux_modules_install %{_datadir}/selinux/packages/k3s.pp
63 | if /usr/sbin/selinuxenabled ; then
64 | /usr/sbin/load_policy
65 | %k3s_relabel_files
66 | fi;
67 |
68 | %postun
69 | if [ $1 -eq 0 ]; then
70 | %selinux_modules_uninstall k3s
71 | fi;
72 |
73 | %posttrans
74 | %selinux_relabel_post
75 |
76 | %files
77 | %attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp
78 | %{_datadir}/selinux/devel/include/contrib/k3s.if
79 |
80 | %changelog
81 | * Mon Feb 24 2020 Darren Shepherd 1.0-1
82 | - Initial version
83 |
84 |
--------------------------------------------------------------------------------
/policy/slemicro/k3s-selinux.spec:
--------------------------------------------------------------------------------
1 | # vim: sw=4:ts=4:et
2 |
3 | %define k3s_relabel_files() \
4 | mkdir -p /var/lib/cni; \
5 | mkdir -p /var/lib/kubelet/pods; \
6 | mkdir -p /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
7 | mkdir -p /var/lib/rancher/k3s/data; \
8 | mkdir -p /var/run/flannel; \
9 | mkdir -p /var/run/k3s; \
10 | restorecon -FR -T 0 -i /etc/systemd/system/k3s.service; \
11 | restorecon -FR -T 0 -i /usr/lib/systemd/system/k3s.service; \
12 | restorecon -FR -T 0 /var/lib/cni; \
13 | restorecon -FR -T 0 /var/lib/kubelet; \
14 | restorecon -FR -T 0 /var/lib/rancher; \
15 | restorecon -FR -T 0 /var/run/k3s; \
16 | restorecon -FR -T 0 /var/run/flannel
17 |
18 | %define selinux_policyver 20210716-3.1
19 | %define container_policyver 2.167.0-1
20 |
21 | Name: k3s-selinux
22 | Version: %{k3s_selinux_version}
23 | Release: %{k3s_selinux_release}.slemicro
24 | Summary: SELinux policy module for k3s
25 | Vendor: K3s Project
26 | Packager: K3s Project
27 |
28 | Group: System Environment/Base
29 | License: Apache-2.0
30 | URL: https://k3s.io
31 | Source0: k3s.pp
32 | Source1: k3s.if
33 |
34 | BuildArch: noarch
35 | BuildRequires: container-selinux >= %{container_policyver}
36 | BuildRequires: git
37 | BuildRequires: selinux-policy >= %{selinux_policyver}
38 | BuildRequires: selinux-policy-devel >= %{selinux_policyver}
39 |
40 | Requires: policycoreutils, selinux-tools
41 | Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver}
42 | Requires(postun): policycoreutils
43 |
44 | Provides: %{name} = %{version}-%{release}
45 | Obsoletes: k3s-selinux <= 0.5
46 | Conflicts: rke2-selinux
47 |
48 | %description
49 | This package installs and sets up the SELinux policy security module for k3s.
50 |
51 | %install
52 | install -d %{buildroot}%{_datadir}/selinux/packages
53 | install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
54 | install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
55 | install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
56 | install -d %{buildroot}/etc/selinux/targeted/contexts/users/
57 |
58 | %pre
59 | %selinux_relabel_pre
60 |
61 | %post
62 | %selinux_modules_install %{_datadir}/selinux/packages/k3s.pp
63 | if /usr/sbin/selinuxenabled ; then
64 | /usr/sbin/load_policy
65 | %k3s_relabel_files
66 | fi;
67 |
68 | %postun
69 | if [ $1 -eq 0 ]; then
70 | %selinux_modules_uninstall k3s
71 | fi;
72 |
73 | %posttrans
74 | %selinux_relabel_post
75 |
76 | %files
77 | %attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp
78 | %{_datadir}/selinux/devel/include/contrib/k3s.if
79 |
80 | %changelog
81 | * Mon Feb 24 2020 Darren Shepherd 1.0-1
82 | - Initial version
83 |
84 |
--------------------------------------------------------------------------------
/policy/centos8/k3s-selinux.spec:
--------------------------------------------------------------------------------
1 | # vim: sw=4:ts=4:et
2 |
3 | %define k3s_relabel_files() \
4 | mkdir -p /var/lib/cni; \
5 | mkdir -p /var/lib/kubelet/pods; \
6 | mkdir -p /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
7 | mkdir -p /var/lib/rancher/k3s/data; \
8 | mkdir -p /var/run/flannel; \
9 | mkdir -p /var/run/k3s; \
10 | restorecon -FR -i /etc/systemd/system/k3s.service; \
11 | restorecon -FR -i /usr/lib/systemd/system/k3s.service; \
12 | restorecon -FR /var/lib/cni; \
13 | restorecon -FR /var/lib/kubelet; \
14 | restorecon -FR /var/lib/rancher; \
15 | restorecon -FR /var/run/k3s; \
16 | restorecon -FR /var/run/flannel
17 |
18 | %define selinux_policyver 3.14.3-67
19 | %define container_policyver 2.167.0-1
20 | %define container_policy_epoch 2
21 |
22 | Name: k3s-selinux
23 | Version: %{k3s_selinux_version}
24 | Release: %{k3s_selinux_release}.el8
25 | Summary: SELinux policy module for k3s
26 | Vendor: K3s Project
27 | Packager: K3s Project
28 |
29 | Group: System Environment/Base
30 | License: Apache-2.0
31 | URL: https://k3s.io
32 | Source0: k3s.pp
33 | Source1: k3s.if
34 |
35 | BuildArch: noarch
36 | BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver}
37 | BuildRequires: git
38 | BuildRequires: selinux-policy >= %{selinux_policyver}
39 | BuildRequires: selinux-policy-devel >= %{selinux_policyver}
40 |
41 | Requires: policycoreutils, libselinux-utils
42 | Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
43 | Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver}
44 | Requires(postun): policycoreutils
45 |
46 | Provides: %{name} = %{version}-%{release}
47 | Obsoletes: k3s-selinux <= 0.5
48 | Conflicts: rke2-selinux
49 |
50 | %description
51 | This package installs and sets up the SELinux policy security module for k3s.
52 |
53 | %install
54 | install -d %{buildroot}%{_datadir}/selinux/packages
55 | install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
56 | install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
57 | install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
58 | install -d %{buildroot}/etc/selinux/targeted/contexts/users/
59 |
60 | %pre
61 | %selinux_relabel_pre
62 |
63 | %post
64 | %selinux_modules_install %{_datadir}/selinux/packages/k3s.pp
65 | if /usr/sbin/selinuxenabled ; then
66 | /usr/sbin/load_policy
67 | %k3s_relabel_files
68 | fi;
69 |
70 | %postun
71 | if [ $1 -eq 0 ]; then
72 | %selinux_modules_uninstall k3s
73 | fi;
74 |
75 | %posttrans
76 | %selinux_relabel_post
77 |
78 | %files
79 | %attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp
80 | %{_datadir}/selinux/devel/include/contrib/k3s.if
81 |
82 | %changelog
83 | * Mon Feb 24 2020 Darren Shepherd 1.0-1
84 | - Initial version
85 |
86 |
--------------------------------------------------------------------------------
/policy/centos9/k3s-selinux.spec:
--------------------------------------------------------------------------------
1 | # vim: sw=4:ts=4:et
2 |
3 | %define k3s_relabel_files() \
4 | mkdir -p /var/lib/cni; \
5 | mkdir -p /var/lib/kubelet/pods; \
6 | mkdir -p /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
7 | mkdir -p /var/lib/rancher/k3s/data; \
8 | mkdir -p /var/run/flannel; \
9 | mkdir -p /var/run/k3s; \
10 | restorecon -FR -T 0 -i /etc/systemd/system/k3s.service; \
11 | restorecon -FR -T 0 -i /usr/lib/systemd/system/k3s.service; \
12 | restorecon -FR -T 0 /var/lib/cni; \
13 | restorecon -FR -T 0 /var/lib/kubelet; \
14 | restorecon -FR -T 0 /var/lib/rancher; \
15 | restorecon -FR -T 0 /var/run/k3s; \
16 | restorecon -FR -T 0 /var/run/flannel
17 |
18 | %define selinux_policyver 3.14.3-67
19 | %define container_policyver 2.191.0-1
20 | %define container_policy_epoch 3
21 |
22 | Name: k3s-selinux
23 | Version: %{k3s_selinux_version}
24 | Release: %{k3s_selinux_release}.el9
25 | Summary: SELinux policy module for k3s
26 | Vendor: K3s Project
27 | Packager: K3s Project
28 |
29 | Group: System Environment/Base
30 | License: Apache-2.0
31 | URL: https://k3s.io
32 | Source0: k3s.pp
33 | Source1: k3s.if
34 |
35 | BuildArch: noarch
36 | BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver}
37 | BuildRequires: git
38 | BuildRequires: selinux-policy >= %{selinux_policyver}
39 | BuildRequires: selinux-policy-devel >= %{selinux_policyver}
40 |
41 | Requires: policycoreutils, libselinux-utils
42 | Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
43 | Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver}
44 | Requires(postun): policycoreutils
45 |
46 | Provides: %{name} = %{version}-%{release}
47 | Obsoletes: k3s-selinux <= 0.5
48 | Conflicts: rke2-selinux
49 |
50 | %description
51 | This package installs and sets up the SELinux policy security module for k3s.
52 |
53 | %install
54 | install -d %{buildroot}%{_datadir}/selinux/packages
55 | install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
56 | install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
57 | install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
58 | install -d %{buildroot}/etc/selinux/targeted/contexts/users/
59 |
60 | %pre
61 | %selinux_relabel_pre
62 |
63 | %post
64 | %selinux_modules_install %{_datadir}/selinux/packages/k3s.pp
65 | if /usr/sbin/selinuxenabled ; then
66 | /usr/sbin/load_policy
67 | %k3s_relabel_files
68 | fi;
69 |
70 | %postun
71 | if [ $1 -eq 0 ]; then
72 | %selinux_modules_uninstall k3s
73 | fi;
74 |
75 | %posttrans
76 | %selinux_relabel_post
77 |
78 | %files
79 | %attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp
80 | %{_datadir}/selinux/devel/include/contrib/k3s.if
81 |
82 | %changelog
83 | * Mon Feb 24 2020 Darren Shepherd 1.0-1
84 | - Initial version
85 |
86 |
--------------------------------------------------------------------------------
/policy/coreos/k3s-selinux.spec:
--------------------------------------------------------------------------------
1 | # vim: sw=4:ts=4:et
2 |
3 | %define k3s_relabel_files() \
4 | mkdir -p /var/lib/cni; \
5 | mkdir -p /var/lib/kubelet/pods; \
6 | mkdir -p /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
7 | mkdir -p /var/lib/rancher/k3s/data; \
8 | mkdir -p /var/run/flannel; \
9 | mkdir -p /var/run/k3s; \
10 | restorecon -FR -T 0 -i /etc/systemd/system/k3s.service; \
11 | restorecon -FR -T 0 -i /usr/lib/systemd/system/k3s.service; \
12 | restorecon -FR -T 0 /var/lib/cni; \
13 | restorecon -FR -T 0 /var/lib/kubelet; \
14 | restorecon -FR -T 0 /var/lib/rancher; \
15 | restorecon -FR -T 0 /var/run/k3s; \
16 | restorecon -FR -T 0 /var/run/flannel
17 |
18 | %define selinux_policyver 3.14.3-67
19 | %define container_policyver 2.191.0-1
20 | %define container_policy_epoch 2
21 |
22 | Name: k3s-selinux
23 | Version: %{k3s_selinux_version}
24 | Release: %{k3s_selinux_release}.coreos
25 | Summary: SELinux policy module for k3s
26 | Vendor: K3s Project
27 | Packager: K3s Project
28 |
29 | Group: System Environment/Base
30 | License: Apache-2.0
31 | URL: https://k3s.io
32 | Source0: k3s.pp
33 | Source1: k3s.if
34 |
35 | BuildArch: noarch
36 | BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver}
37 | BuildRequires: git
38 | BuildRequires: selinux-policy >= %{selinux_policyver}
39 | BuildRequires: selinux-policy-devel >= %{selinux_policyver}
40 |
41 | Requires: policycoreutils, libselinux-utils
42 | Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
43 | Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver}
44 | Requires(postun): policycoreutils
45 |
46 | Provides: %{name} = %{version}-%{release}
47 | Obsoletes: k3s-selinux <= 0.5
48 | Conflicts: rke2-selinux
49 |
50 | %description
51 | This package installs and sets up the SELinux policy security module for k3s.
52 |
53 | %install
54 | install -d %{buildroot}%{_datadir}/selinux/packages
55 | install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
56 | install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
57 | install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
58 | install -d %{buildroot}/etc/selinux/targeted/contexts/users/
59 |
60 | %pre
61 | %selinux_relabel_pre
62 |
63 | %post
64 | %selinux_modules_install %{_datadir}/selinux/packages/k3s.pp
65 | if /usr/sbin/selinuxenabled ; then
66 | /usr/sbin/load_policy
67 | %k3s_relabel_files
68 | fi;
69 |
70 | %postun
71 | if [ $1 -eq 0 ]; then
72 | %selinux_modules_uninstall k3s
73 | fi;
74 |
75 | %posttrans
76 | %selinux_relabel_post
77 |
78 | %files
79 | %attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp
80 | %{_datadir}/selinux/devel/include/contrib/k3s.if
81 |
82 | %changelog
83 | * Mon Feb 24 2020 Darren Shepherd 1.0-1
84 | - Initial version
85 |
86 |
--------------------------------------------------------------------------------
/policy/centos8/k3s.fc:
--------------------------------------------------------------------------------
1 | # vim: sw=8:ts=8:et
2 |
3 | /etc/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
4 | /usr/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
5 | /usr/local/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
6 | /usr/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
7 | /usr/local/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
8 | /opt/bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
9 | /var/lib/rancher/k3s(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
10 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_file_t,s0)
11 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_file_t,s0)
12 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.* <>
13 | /var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0)
14 | /var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:k3s_data_t,s0)
15 | /var/lib/rancher/k3s/data/.lock -- gen_context(system_u:object_r:k3s_lock_t,s0)
16 | /var/lib/rancher/k3s/data/[^/]*/bin(/.*)? gen_context(system_u:object_r:k3s_root_t,s0)
17 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]links -- gen_context(system_u:object_r:k3s_data_t,s0)
18 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]sha256sums -- gen_context(system_u:object_r:k3s_data_t,s0)
19 | /var/lib/rancher/k3s/data/[^/]*/bin/cni -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
20 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
21 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
22 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim-runc-v[12] -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
23 | /var/lib/rancher/k3s/data/[^/]*/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
24 | /var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0)
25 | /var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0)
26 | /var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
27 | /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
28 |
--------------------------------------------------------------------------------
/policy/centos9/k3s.fc:
--------------------------------------------------------------------------------
1 | # vim: sw=8:ts=8:et
2 |
3 | /etc/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
4 | /usr/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
5 | /usr/local/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
6 | /usr/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
7 | /usr/local/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
8 | /opt/bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
9 | /var/lib/rancher/k3s(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
10 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_file_t,s0)
11 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_file_t,s0)
12 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.* <>
13 | /var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0)
14 | /var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:k3s_data_t,s0)
15 | /var/lib/rancher/k3s/data/.lock -- gen_context(system_u:object_r:k3s_lock_t,s0)
16 | /var/lib/rancher/k3s/data/[^/]*/bin(/.*)? gen_context(system_u:object_r:k3s_root_t,s0)
17 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]links -- gen_context(system_u:object_r:k3s_data_t,s0)
18 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]sha256sums -- gen_context(system_u:object_r:k3s_data_t,s0)
19 | /var/lib/rancher/k3s/data/[^/]*/bin/cni -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
20 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
21 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
22 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim-runc-v[12] -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
23 | /var/lib/rancher/k3s/data/[^/]*/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
24 | /var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0)
25 | /var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0)
26 | /var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
27 | /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
28 |
--------------------------------------------------------------------------------
/policy/coreos/k3s.fc:
--------------------------------------------------------------------------------
1 | # vim: sw=8:ts=8:et
2 |
3 | /etc/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
4 | /usr/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
5 | /usr/local/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
6 | /usr/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
7 | /usr/local/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
8 | /opt/bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
9 | /var/lib/rancher/k3s(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
10 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_file_t,s0)
11 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_file_t,s0)
12 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.* <>
13 | /var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0)
14 | /var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:k3s_data_t,s0)
15 | /var/lib/rancher/k3s/data/.lock -- gen_context(system_u:object_r:k3s_lock_t,s0)
16 | /var/lib/rancher/k3s/data/[^/]*/bin(/.*)? gen_context(system_u:object_r:k3s_root_t,s0)
17 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]links -- gen_context(system_u:object_r:k3s_data_t,s0)
18 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]sha256sums -- gen_context(system_u:object_r:k3s_data_t,s0)
19 | /var/lib/rancher/k3s/data/[^/]*/bin/cni -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
20 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
21 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
22 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim-runc-v[12] -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
23 | /var/lib/rancher/k3s/data/[^/]*/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
24 | /var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0)
25 | /var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0)
26 | /var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
27 | /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
28 |
--------------------------------------------------------------------------------
/policy/microos/k3s.fc:
--------------------------------------------------------------------------------
1 | # vim: sw=8:ts=8:et
2 |
3 | /etc/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
4 | /usr/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
5 | /usr/local/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
6 | /usr/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
7 | /usr/local/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
8 | /opt/bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
9 | /var/lib/rancher/k3s(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
10 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_file_t,s0)
11 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_file_t,s0)
12 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.* <>
13 | /var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0)
14 | /var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:k3s_data_t,s0)
15 | /var/lib/rancher/k3s/data/.lock -- gen_context(system_u:object_r:k3s_lock_t,s0)
16 | /var/lib/rancher/k3s/data/[^/]*/bin(/.*)? gen_context(system_u:object_r:k3s_root_t,s0)
17 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]links -- gen_context(system_u:object_r:k3s_data_t,s0)
18 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]sha256sums -- gen_context(system_u:object_r:k3s_data_t,s0)
19 | /var/lib/rancher/k3s/data/[^/]*/bin/cni -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
20 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
21 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
22 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim-runc-v[12] -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
23 | /var/lib/rancher/k3s/data/[^/]*/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
24 | /var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0)
25 | /var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0)
26 | /var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
27 | /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
28 |
--------------------------------------------------------------------------------
/policy/slemicro/k3s.fc:
--------------------------------------------------------------------------------
1 | # vim: sw=8:ts=8:et
2 |
3 | /etc/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
4 | /usr/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
5 | /usr/local/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
6 | /usr/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
7 | /usr/local/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
8 | /opt/bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
9 | /var/lib/rancher/k3s(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
10 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0)
11 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0)
12 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.* <>
13 | /var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0)
14 | /var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:k3s_data_t,s0)
15 | /var/lib/rancher/k3s/data/.lock -- gen_context(system_u:object_r:k3s_lock_t,s0)
16 | /var/lib/rancher/k3s/data/[^/]*/bin(/.*)? gen_context(system_u:object_r:k3s_root_t,s0)
17 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]links -- gen_context(system_u:object_r:k3s_data_t,s0)
18 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]sha256sums -- gen_context(system_u:object_r:k3s_data_t,s0)
19 | /var/lib/rancher/k3s/data/[^/]*/bin/cni -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
20 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
21 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
22 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim-runc-v[12] -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
23 | /var/lib/rancher/k3s/data/[^/]*/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
24 | /var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0)
25 | /var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0)
26 | /var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
27 | /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
28 |
--------------------------------------------------------------------------------
/policy/centos7/k3s-selinux.spec:
--------------------------------------------------------------------------------
1 | # vim: sw=4:ts=4:et
2 |
3 | %define k3s_relabel_files() \
4 | mkdir -p /var/lib/cni; \
5 | mkdir -p /var/lib/kubelet/pods; \
6 | mkdir -p /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
7 | mkdir -p /var/lib/rancher/k3s/data; \
8 | mkdir -p /var/run/flannel; \
9 | mkdir -p /var/run/k3s; \
10 | restorecon -FR -i /etc/systemd/system/k3s.service; \
11 | restorecon -FR -i /usr/lib/systemd/system/k3s.service; \
12 | restorecon -FR /var/lib/cni; \
13 | restorecon -FR /var/lib/kubelet; \
14 | restorecon -FR /var/lib/rancher; \
15 | restorecon -FR /var/run/k3s; \
16 | restorecon -FR /var/run/flannel
17 |
18 | %define selinux_policyver 3.13.1-252
19 | %define container_policyver 2.107-3
20 | %define container_policy_epoch 2
21 | %define container_policy_schism 2.164.2
22 |
23 | Name: k3s-selinux
24 | Version: %{k3s_selinux_version}
25 | Release: %{k3s_selinux_release}.el7
26 | Summary: SELinux policy module for k3s
27 | Vendor: K3s Project
28 | Packager: K3s Project
29 |
30 | Group: System Environment/Base
31 | License: Apache-2.0
32 | URL: https://k3s.io
33 | Source0: k3s.pp
34 | Source1: k3s.if
35 |
36 | BuildArch: noarch
37 | BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver}
38 | BuildRequires: container-selinux < %{container_policy_epoch}:%{container_policy_schism}
39 | BuildRequires: git
40 | BuildRequires: selinux-policy >= %{selinux_policyver}
41 | BuildRequires: selinux-policy-devel >= %{selinux_policyver}
42 |
43 | Requires: policycoreutils, libselinux-utils
44 | Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
45 | Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver}
46 | Requires(post): container-selinux < %{container_policy_epoch}:%{container_policy_schism}
47 | Requires(postun): policycoreutils
48 |
49 | Provides: %{name} = %{version}-%{release}
50 | Obsoletes: k3s-selinux <= 0.5
51 | Conflicts: rke2-selinux
52 |
53 | %description
54 | This package installs and sets up the SELinux policy security module for k3s.
55 |
56 | %install
57 | install -d %{buildroot}%{_datadir}/selinux/packages
58 | install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
59 | install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
60 | install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
61 | install -d %{buildroot}/etc/selinux/targeted/contexts/users/
62 |
63 | %pre
64 | %selinux_relabel_pre
65 |
66 | %post
67 | %selinux_modules_install %{_datadir}/selinux/packages/k3s.pp
68 | if /usr/sbin/selinuxenabled ; then
69 | /usr/sbin/load_policy
70 | %k3s_relabel_files
71 | fi;
72 |
73 | %postun
74 | if [ $1 -eq 0 ]; then
75 | %selinux_modules_uninstall k3s
76 | fi;
77 |
78 | %posttrans
79 | %selinux_relabel_post
80 |
81 | %files
82 | %attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp
83 | %{_datadir}/selinux/devel/include/contrib/k3s.if
84 |
85 | %changelog
86 | * Mon Feb 24 2020 Darren Shepherd 1.0-1
87 | - Initial version
88 |
89 |
--------------------------------------------------------------------------------
/policy/centos7/k3s.fc:
--------------------------------------------------------------------------------
1 | # vim: sw=8:ts=8:et
2 |
3 | /etc/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
4 | /usr/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
5 | /usr/local/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
6 | /usr/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
7 | /usr/local/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
8 | /opt/bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
9 | /var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
10 | /var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
11 | /var/lib/rancher/k3s(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
12 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0)
13 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0)
14 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.* <>
15 | /var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0)
16 | /var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:k3s_data_t,s0)
17 | /var/lib/rancher/k3s/data/.lock -- gen_context(system_u:object_r:k3s_lock_t,s0)
18 | /var/lib/rancher/k3s/data/[^/]*/bin(/.*)? gen_context(system_u:object_r:k3s_root_t,s0)
19 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]links -- gen_context(system_u:object_r:k3s_data_t,s0)
20 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]sha256sums -- gen_context(system_u:object_r:k3s_data_t,s0)
21 | /var/lib/rancher/k3s/data/[^/]*/bin/cni -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
22 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
23 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
24 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim-runc-v[12] -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
25 | /var/lib/rancher/k3s/data/[^/]*/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
26 | /var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0)
27 | /var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0)
28 | /var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
29 | /var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
30 | /var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
31 | /var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
32 | /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
33 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 |
2 | Apache License
3 | Version 2.0, January 2004
4 | http://www.apache.org/licenses/
5 |
6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
7 |
8 | 1. Definitions.
9 |
10 | "License" shall mean the terms and conditions for use, reproduction,
11 | and distribution as defined by Sections 1 through 9 of this document.
12 |
13 | "Licensor" shall mean the copyright owner or entity authorized by
14 | the copyright owner that is granting the License.
15 |
16 | "Legal Entity" shall mean the union of the acting entity and all
17 | other entities that control, are controlled by, or are under common
18 | control with that entity. For the purposes of this definition,
19 | "control" means (i) the power, direct or indirect, to cause the
20 | direction or management of such entity, whether by contract or
21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
22 | outstanding shares, or (iii) beneficial ownership of such entity.
23 |
24 | "You" (or "Your") shall mean an individual or Legal Entity
25 | exercising permissions granted by this License.
26 |
27 | "Source" form shall mean the preferred form for making modifications,
28 | including but not limited to software source code, documentation
29 | source, and configuration files.
30 |
31 | "Object" form shall mean any form resulting from mechanical
32 | transformation or translation of a Source form, including but
33 | not limited to compiled object code, generated documentation,
34 | and conversions to other media types.
35 |
36 | "Work" shall mean the work of authorship, whether in Source or
37 | Object form, made available under the License, as indicated by a
38 | copyright notice that is included in or attached to the work
39 | (an example is provided in the Appendix below).
40 |
41 | "Derivative Works" shall mean any work, whether in Source or Object
42 | form, that is based on (or derived from) the Work and for which the
43 | editorial revisions, annotations, elaborations, or other modifications
44 | represent, as a whole, an original work of authorship. For the purposes
45 | of this License, Derivative Works shall not include works that remain
46 | separable from, or merely link (or bind by name) to the interfaces of,
47 | the Work and Derivative Works thereof.
48 |
49 | "Contribution" shall mean any work of authorship, including
50 | the original version of the Work and any modifications or additions
51 | to that Work or Derivative Works thereof, that is intentionally
52 | submitted to Licensor for inclusion in the Work by the copyright owner
53 | or by an individual or Legal Entity authorized to submit on behalf of
54 | the copyright owner. For the purposes of this definition, "submitted"
55 | means any form of electronic, verbal, or written communication sent
56 | to the Licensor or its representatives, including but not limited to
57 | communication on electronic mailing lists, source code control systems,
58 | and issue tracking systems that are managed by, or on behalf of, the
59 | Licensor for the purpose of discussing and improving the Work, but
60 | excluding communication that is conspicuously marked or otherwise
61 | designated in writing by the copyright owner as "Not a Contribution."
62 |
63 | "Contributor" shall mean Licensor and any individual or Legal Entity
64 | on behalf of whom a Contribution has been received by Licensor and
65 | subsequently incorporated within the Work.
66 |
67 | 2. Grant of Copyright License. Subject to the terms and conditions of
68 | this License, each Contributor hereby grants to You a perpetual,
69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
70 | copyright license to reproduce, prepare Derivative Works of,
71 | publicly display, publicly perform, sublicense, and distribute the
72 | Work and such Derivative Works in Source or Object form.
73 |
74 | 3. Grant of Patent License. Subject to the terms and conditions of
75 | this License, each Contributor hereby grants to You a perpetual,
76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
77 | (except as stated in this section) patent license to make, have made,
78 | use, offer to sell, sell, import, and otherwise transfer the Work,
79 | where such license applies only to those patent claims licensable
80 | by such Contributor that are necessarily infringed by their
81 | Contribution(s) alone or by combination of their Contribution(s)
82 | with the Work to which such Contribution(s) was submitted. If You
83 | institute patent litigation against any entity (including a
84 | cross-claim or counterclaim in a lawsuit) alleging that the Work
85 | or a Contribution incorporated within the Work constitutes direct
86 | or contributory patent infringement, then any patent licenses
87 | granted to You under this License for that Work shall terminate
88 | as of the date such litigation is filed.
89 |
90 | 4. Redistribution. You may reproduce and distribute copies of the
91 | Work or Derivative Works thereof in any medium, with or without
92 | modifications, and in Source or Object form, provided that You
93 | meet the following conditions:
94 |
95 | (a) You must give any other recipients of the Work or
96 | Derivative Works a copy of this License; and
97 |
98 | (b) You must cause any modified files to carry prominent notices
99 | stating that You changed the files; and
100 |
101 | (c) You must retain, in the Source form of any Derivative Works
102 | that You distribute, all copyright, patent, trademark, and
103 | attribution notices from the Source form of the Work,
104 | excluding those notices that do not pertain to any part of
105 | the Derivative Works; and
106 |
107 | (d) If the Work includes a "NOTICE" text file as part of its
108 | distribution, then any Derivative Works that You distribute must
109 | include a readable copy of the attribution notices contained
110 | within such NOTICE file, excluding those notices that do not
111 | pertain to any part of the Derivative Works, in at least one
112 | of the following places: within a NOTICE text file distributed
113 | as part of the Derivative Works; within the Source form or
114 | documentation, if provided along with the Derivative Works; or,
115 | within a display generated by the Derivative Works, if and
116 | wherever such third-party notices normally appear. The contents
117 | of the NOTICE file are for informational purposes only and
118 | do not modify the License. You may add Your own attribution
119 | notices within Derivative Works that You distribute, alongside
120 | or as an addendum to the NOTICE text from the Work, provided
121 | that such additional attribution notices cannot be construed
122 | as modifying the License.
123 |
124 | You may add Your own copyright statement to Your modifications and
125 | may provide additional or different license terms and conditions
126 | for use, reproduction, or distribution of Your modifications, or
127 | for any such Derivative Works as a whole, provided Your use,
128 | reproduction, and distribution of the Work otherwise complies with
129 | the conditions stated in this License.
130 |
131 | 5. Submission of Contributions. Unless You explicitly state otherwise,
132 | any Contribution intentionally submitted for inclusion in the Work
133 | by You to the Licensor shall be under the terms and conditions of
134 | this License, without any additional terms or conditions.
135 | Notwithstanding the above, nothing herein shall supersede or modify
136 | the terms of any separate license agreement you may have executed
137 | with Licensor regarding such Contributions.
138 |
139 | 6. Trademarks. This License does not grant permission to use the trade
140 | names, trademarks, service marks, or product names of the Licensor,
141 | except as required for reasonable and customary use in describing the
142 | origin of the Work and reproducing the content of the NOTICE file.
143 |
144 | 7. Disclaimer of Warranty. Unless required by applicable law or
145 | agreed to in writing, Licensor provides the Work (and each
146 | Contributor provides its Contributions) on an "AS IS" BASIS,
147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148 | implied, including, without limitation, any warranties or conditions
149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150 | PARTICULAR PURPOSE. You are solely responsible for determining the
151 | appropriateness of using or redistributing the Work and assume any
152 | risks associated with Your exercise of permissions under this License.
153 |
154 | 8. Limitation of Liability. In no event and under no legal theory,
155 | whether in tort (including negligence), contract, or otherwise,
156 | unless required by applicable law (such as deliberate and grossly
157 | negligent acts) or agreed to in writing, shall any Contributor be
158 | liable to You for damages, including any direct, indirect, special,
159 | incidental, or consequential damages of any character arising as a
160 | result of this License or out of the use or inability to use the
161 | Work (including but not limited to damages for loss of goodwill,
162 | work stoppage, computer failure or malfunction, or any and all
163 | other commercial damages or losses), even if such Contributor
164 | has been advised of the possibility of such damages.
165 |
166 | 9. Accepting Warranty or Additional Liability. While redistributing
167 | the Work or Derivative Works thereof, You may choose to offer,
168 | and charge a fee for, acceptance of support, warranty, indemnity,
169 | or other liability obligations and/or rights consistent with this
170 | License. However, in accepting such obligations, You may act only
171 | on Your own behalf and on Your sole responsibility, not on behalf
172 | of any other Contributor, and only if You agree to indemnify,
173 | defend, and hold each Contributor harmless for any liability
174 | incurred by, or claims asserted against, such Contributor by reason
175 | of your accepting any such warranty or additional liability.
176 |
177 | END OF TERMS AND CONDITIONS
178 |
179 |
--------------------------------------------------------------------------------
/.drone.yml:
--------------------------------------------------------------------------------
1 | ---
2 | kind: pipeline
3 | name: RPM Build EL7
4 |
5 | platform:
6 | os: linux
7 | arch: amd64
8 |
9 | steps:
10 | - name: Build EL7
11 | image: rancher/dapper:v0.6.0
12 | commands:
13 | - dapper -f Dockerfile.centos7.dapper ./policy/centos7/scripts/build
14 | volumes:
15 | - name: docker
16 | path: /var/run/docker.sock
17 |
18 | - name: Sign RPM EL7
19 | image: rancher/dapper:v0.6.0
20 | environment:
21 | PRIVATE_KEY:
22 | from_secret: private_key
23 | PRIVATE_KEY_PASS_PHRASE:
24 | from_secret: private_key_pass_phrase
25 | TESTING_PRIVATE_KEY:
26 | from_secret: testing_private_key
27 | TESTING_PRIVATE_KEY_PASS_PHRASE:
28 | from_secret: testing_private_key_pass_phrase
29 | commands:
30 | - dapper -f Dockerfile.centos7.dapper ./policy/centos7/scripts/sign
31 | volumes:
32 | - name: docker
33 | path: /var/run/docker.sock
34 | when:
35 | instance:
36 | - drone-publish.k3s.io
37 | ref:
38 | - refs/head/master
39 | - refs/tags/*
40 | event:
41 | - tag
42 |
43 | - name: Yum Repo Upload EL7
44 | image: rancher/dapper:v0.6.0
45 | environment:
46 | AWS_S3_BUCKET:
47 | from_secret: aws_s3_bucket
48 | AWS_ACCESS_KEY_ID:
49 | from_secret: aws_access_key_id
50 | AWS_SECRET_ACCESS_KEY:
51 | from_secret: aws_secret_access_key
52 | TESTING_AWS_S3_BUCKET:
53 | from_secret: testing_aws_s3_bucket
54 | TESTING_AWS_ACCESS_KEY_ID:
55 | from_secret: testing_aws_access_key_id
56 | TESTING_AWS_SECRET_ACCESS_KEY:
57 | from_secret: testing_aws_secret_access_key
58 | commands:
59 | - dapper -f Dockerfile.centos7.dapper ./policy/centos7/scripts/upload-repo
60 | volumes:
61 | - name: docker
62 | path: /var/run/docker.sock
63 | when:
64 | instance:
65 | - drone-publish.k3s.io
66 | ref:
67 | - refs/head/master
68 | - refs/tags/*
69 | event:
70 | - tag
71 |
72 | - name: GitHub Release EL7
73 | image: plugins/github-release
74 | settings:
75 | api_key:
76 | from_secret: github_token
77 | prerelease: true
78 | checksum:
79 | - sha256
80 | checksum_file: CHECKSUMsum-centos7-noarch.txt
81 | checksum_flatten: true
82 | files:
83 | - "dist/centos7/**/*.rpm"
84 | when:
85 | instance:
86 | - drone-publish.k3s.io
87 | ref:
88 | - refs/head/master
89 | - refs/tags/*
90 | event:
91 | - tag
92 |
93 | volumes:
94 | - name: docker
95 | host:
96 | path: /var/run/docker.sock
97 | ---
98 | kind: pipeline
99 | name: RPM Build EL8
100 |
101 | platform:
102 | os: linux
103 | arch: amd64
104 |
105 | steps:
106 | - name: Build EL8
107 | image: rancher/dapper:v0.6.0
108 | commands:
109 | - dapper -f Dockerfile.centos8.dapper ./policy/centos8/scripts/build
110 | volumes:
111 | - name: docker
112 | path: /var/run/docker.sock
113 |
114 | - name: Sign RPM EL8
115 | image: rancher/dapper:v0.6.0
116 | environment:
117 | PRIVATE_KEY:
118 | from_secret: private_key
119 | PRIVATE_KEY_PASS_PHRASE:
120 | from_secret: private_key_pass_phrase
121 | TESTING_PRIVATE_KEY:
122 | from_secret: testing_private_key
123 | TESTING_PRIVATE_KEY_PASS_PHRASE:
124 | from_secret: testing_private_key_pass_phrase
125 | commands:
126 | - dapper -f Dockerfile.centos7.dapper ./policy/centos8/scripts/sign
127 | volumes:
128 | - name: docker
129 | path: /var/run/docker.sock
130 | when:
131 | instance:
132 | - drone-publish.k3s.io
133 | ref:
134 | - refs/head/master
135 | - refs/tags/*
136 | event:
137 | - tag
138 |
139 | - name: Yum Repo Upload EL8
140 | image: rancher/dapper:v0.6.0
141 | environment:
142 | AWS_S3_BUCKET:
143 | from_secret: aws_s3_bucket
144 | AWS_ACCESS_KEY_ID:
145 | from_secret: aws_access_key_id
146 | AWS_SECRET_ACCESS_KEY:
147 | from_secret: aws_secret_access_key
148 | TESTING_AWS_S3_BUCKET:
149 | from_secret: testing_aws_s3_bucket
150 | TESTING_AWS_ACCESS_KEY_ID:
151 | from_secret: testing_aws_access_key_id
152 | TESTING_AWS_SECRET_ACCESS_KEY:
153 | from_secret: testing_aws_secret_access_key
154 | commands:
155 | - dapper -f Dockerfile.centos7.dapper ./policy/centos8/scripts/upload-repo
156 | volumes:
157 | - name: docker
158 | path: /var/run/docker.sock
159 | when:
160 | instance:
161 | - drone-publish.k3s.io
162 | ref:
163 | - refs/head/master
164 | - refs/tags/*
165 | event:
166 | - tag
167 |
168 | - name: GitHub Release EL8
169 | image: plugins/github-release
170 | settings:
171 | api_key:
172 | from_secret: github_token
173 | prerelease: true
174 | checksum:
175 | - sha256
176 | checksum_file: CHECKSUMsum-centos8-noarch.txt
177 | checksum_flatten: true
178 | files:
179 | - "dist/centos8/**/*.rpm"
180 | when:
181 | instance:
182 | - drone-publish.k3s.io
183 | ref:
184 | - refs/head/master
185 | - refs/tags/*
186 | event:
187 | - tag
188 |
189 | volumes:
190 | - name: docker
191 | host:
192 | path: /var/run/docker.sock
193 | ---
194 | kind: pipeline
195 | name: RPM Build SLE Micro
196 |
197 | platform:
198 | os: linux
199 | arch: amd64
200 |
201 | steps:
202 | - name: Build SLE Micro
203 | image: rancher/dapper:v0.6.0
204 | commands:
205 | - dapper -f Dockerfile.slemicro.dapper ./policy/slemicro/scripts/build
206 | volumes:
207 | - name: docker
208 | path: /var/run/docker.sock
209 |
210 | - name: Sign RPM SLE
211 | image: rancher/dapper:v0.6.0
212 | environment:
213 | PRIVATE_KEY:
214 | from_secret: private_key
215 | PRIVATE_KEY_PASS_PHRASE:
216 | from_secret: private_key_pass_phrase
217 | TESTING_PRIVATE_KEY:
218 | from_secret: testing_private_key
219 | TESTING_PRIVATE_KEY_PASS_PHRASE:
220 | from_secret: testing_private_key_pass_phrase
221 | commands:
222 | - dapper -f Dockerfile.centos7.dapper ./policy/slemicro/scripts/sign
223 | volumes:
224 | - name: docker
225 | path: /var/run/docker.sock
226 | when:
227 | instance:
228 | - drone-publish.k3s.io
229 | ref:
230 | - refs/head/master
231 | - refs/tags/*
232 | event:
233 | - tag
234 |
235 | - name: Yum Repo Upload SLE Micro
236 | image: rancher/dapper:v0.6.0
237 | environment:
238 | AWS_S3_BUCKET:
239 | from_secret: aws_s3_bucket
240 | AWS_ACCESS_KEY_ID:
241 | from_secret: aws_access_key_id
242 | AWS_SECRET_ACCESS_KEY:
243 | from_secret: aws_secret_access_key
244 | TESTING_AWS_S3_BUCKET:
245 | from_secret: testing_aws_s3_bucket
246 | TESTING_AWS_ACCESS_KEY_ID:
247 | from_secret: testing_aws_access_key_id
248 | TESTING_AWS_SECRET_ACCESS_KEY:
249 | from_secret: testing_aws_secret_access_key
250 | commands:
251 | - dapper -f Dockerfile.centos7.dapper ./policy/slemicro/scripts/upload-repo
252 | volumes:
253 | - name: docker
254 | path: /var/run/docker.sock
255 | when:
256 | instance:
257 | - drone-publish.k3s.io
258 | ref:
259 | - refs/head/master
260 | - refs/tags/*
261 | event:
262 | - tag
263 |
264 | - name: GitHub Release SLE Micro
265 | image: plugins/github-release
266 | settings:
267 | api_key:
268 | from_secret: github_token
269 | prerelease: true
270 | checksum:
271 | - sha256
272 | checksum_file: CHECKSUMsum-slemicro-noarch.txt
273 | checksum_flatten: true
274 | files:
275 | - "dist/slemicro/**/*.rpm"
276 | when:
277 | instance:
278 | - drone-publish.k3s.io
279 | ref:
280 | - refs/head/master
281 | - refs/tags/*
282 | event:
283 | - tag
284 |
285 | volumes:
286 | - name: docker
287 | host:
288 | path: /var/run/docker.sock
289 |
290 | ---
291 | kind: pipeline
292 | name: RPM Build Microos
293 |
294 | platform:
295 | os: linux
296 | arch: amd64
297 |
298 | steps:
299 | - name: Build MicroOS
300 | image: rancher/dapper:v0.6.0
301 | commands:
302 | - dapper -f Dockerfile.microos.dapper ./policy/microos/scripts/build
303 | volumes:
304 | - name: docker
305 | path: /var/run/docker.sock
306 |
307 | - name: Sign RPM MicroOS
308 | image: rancher/dapper:v0.6.0
309 | environment:
310 | PRIVATE_KEY:
311 | from_secret: private_key
312 | PRIVATE_KEY_PASS_PHRASE:
313 | from_secret: private_key_pass_phrase
314 | TESTING_PRIVATE_KEY:
315 | from_secret: testing_private_key
316 | TESTING_PRIVATE_KEY_PASS_PHRASE:
317 | from_secret: testing_private_key_pass_phrase
318 | commands:
319 | - dapper -f Dockerfile.centos7.dapper ./policy/microos/scripts/sign
320 | volumes:
321 | - name: docker
322 | path: /var/run/docker.sock
323 | when:
324 | instance:
325 | - drone-publish.k3s.io
326 | ref:
327 | - refs/head/master
328 | - refs/tags/*
329 | event:
330 | - tag
331 |
332 | - name: Yum Repo Upload MicroOS
333 | image: rancher/dapper:v0.6.0
334 | environment:
335 | AWS_S3_BUCKET:
336 | from_secret: aws_s3_bucket
337 | AWS_ACCESS_KEY_ID:
338 | from_secret: aws_access_key_id
339 | AWS_SECRET_ACCESS_KEY:
340 | from_secret: aws_secret_access_key
341 | TESTING_AWS_S3_BUCKET:
342 | from_secret: testing_aws_s3_bucket
343 | TESTING_AWS_ACCESS_KEY_ID:
344 | from_secret: testing_aws_access_key_id
345 | TESTING_AWS_SECRET_ACCESS_KEY:
346 | from_secret: testing_aws_secret_access_key
347 | commands:
348 | - dapper -f Dockerfile.centos7.dapper ./policy/microos/scripts/upload-repo
349 | volumes:
350 | - name: docker
351 | path: /var/run/docker.sock
352 | when:
353 | instance:
354 | - drone-publish.k3s.io
355 | ref:
356 | - refs/head/master
357 | - refs/tags/*
358 | event:
359 | - tag
360 |
361 | - name: GitHub Release MicroOS
362 | image: plugins/github-release
363 | settings:
364 | api_key:
365 | from_secret: github_token
366 | prerelease: true
367 | checksum:
368 | - sha256
369 | checksum_file: CHECKSUMsum-microos-noarch.txt
370 | checksum_flatten: true
371 | files:
372 | - "dist/microos/**/*.rpm"
373 | when:
374 | instance:
375 | - drone-publish.k3s.io
376 | ref:
377 | - refs/head/master
378 | - refs/tags/*
379 | event:
380 | - tag
381 |
382 | volumes:
383 | - name: docker
384 | host:
385 | path: /var/run/docker.sock
386 |
387 | ---
388 | kind: pipeline
389 | name: RPM Build Fedora CoreOS
390 |
391 | platform:
392 | os: linux
393 | arch: amd64
394 |
395 | steps:
396 | - name: Build Fedora CoreOS
397 | image: rancher/dapper:v0.6.0
398 | commands:
399 | - dapper -f Dockerfile.coreos.dapper ./policy/coreos/scripts/build
400 | volumes:
401 | - name: docker
402 | path: /var/run/docker.sock
403 |
404 | - name: Sign RPM Fedora CoreOS
405 | image: rancher/dapper:v0.6.0
406 | environment:
407 | PRIVATE_KEY:
408 | from_secret: private_key
409 | PRIVATE_KEY_PASS_PHRASE:
410 | from_secret: private_key_pass_phrase
411 | TESTING_PRIVATE_KEY:
412 | from_secret: testing_private_key
413 | TESTING_PRIVATE_KEY_PASS_PHRASE:
414 | from_secret: testing_private_key_pass_phrase
415 | commands:
416 | - dapper -f Dockerfile.centos7.dapper ./policy/coreos/scripts/sign
417 | volumes:
418 | - name: docker
419 | path: /var/run/docker.sock
420 | when:
421 | instance:
422 | - drone-publish.k3s.io
423 | ref:
424 | - refs/head/master
425 | - refs/tags/*
426 | event:
427 | - tag
428 |
429 | - name: Yum Repo Upload Fedora CoreOS
430 | image: rancher/dapper:v0.6.0
431 | environment:
432 | AWS_S3_BUCKET:
433 | from_secret: aws_s3_bucket
434 | AWS_ACCESS_KEY_ID:
435 | from_secret: aws_access_key_id
436 | AWS_SECRET_ACCESS_KEY:
437 | from_secret: aws_secret_access_key
438 | TESTING_AWS_S3_BUCKET:
439 | from_secret: testing_aws_s3_bucket
440 | TESTING_AWS_ACCESS_KEY_ID:
441 | from_secret: testing_aws_access_key_id
442 | TESTING_AWS_SECRET_ACCESS_KEY:
443 | from_secret: testing_aws_secret_access_key
444 | commands:
445 | - dapper -f Dockerfile.centos7.dapper ./policy/coreos/scripts/upload-repo
446 | volumes:
447 | - name: docker
448 | path: /var/run/docker.sock
449 | when:
450 | instance:
451 | - drone-publish.k3s.io
452 | ref:
453 | - refs/head/master
454 | - refs/tags/*
455 | event:
456 | - tag
457 |
458 | - name: GitHub Release Fedora CoreOS
459 | image: plugins/github-release
460 | settings:
461 | api_key:
462 | from_secret: github_token
463 | prerelease: true
464 | checksum:
465 | - sha256
466 | checksum_file: CHECKSUMsum-coreos-noarch.txt
467 | checksum_flatten: true
468 | files:
469 | - "dist/coreos/**/*.rpm"
470 | when:
471 | instance:
472 | - drone-publish.k3s.io
473 | ref:
474 | - refs/head/master
475 | - refs/tags/*
476 | event:
477 | - tag
478 |
479 | volumes:
480 | - name: docker
481 | host:
482 | path: /var/run/docker.sock
483 | ---
484 | kind: pipeline
485 | name: RPM Build EL9
486 |
487 | platform:
488 | os: linux
489 | arch: amd64
490 |
491 | steps:
492 | - name: Build EL9
493 | image: rancher/dapper:v0.6.0
494 | commands:
495 | - dapper -f Dockerfile.centos9.dapper ./policy/centos9/scripts/build
496 | volumes:
497 | - name: docker
498 | path: /var/run/docker.sock
499 |
500 | - name: Sign RPM EL9
501 | image: rancher/dapper:v0.6.0
502 | environment:
503 | PRIVATE_KEY:
504 | from_secret: private_key
505 | PRIVATE_KEY_PASS_PHRASE:
506 | from_secret: private_key_pass_phrase
507 | TESTING_PRIVATE_KEY:
508 | from_secret: testing_private_key
509 | TESTING_PRIVATE_KEY_PASS_PHRASE:
510 | from_secret: testing_private_key_pass_phrase
511 | commands:
512 | - dapper -f Dockerfile.centos7.dapper ./policy/centos9/scripts/sign
513 | volumes:
514 | - name: docker
515 | path: /var/run/docker.sock
516 | when:
517 | instance:
518 | - drone-publish.k3s.io
519 | ref:
520 | - refs/head/master
521 | - refs/tags/*
522 | event:
523 | - tag
524 |
525 | - name: Yum Repo Upload EL9
526 | image: rancher/dapper:v0.6.0
527 | environment:
528 | AWS_S3_BUCKET:
529 | from_secret: aws_s3_bucket
530 | AWS_ACCESS_KEY_ID:
531 | from_secret: aws_access_key_id
532 | AWS_SECRET_ACCESS_KEY:
533 | from_secret: aws_secret_access_key
534 | TESTING_AWS_S3_BUCKET:
535 | from_secret: testing_aws_s3_bucket
536 | TESTING_AWS_ACCESS_KEY_ID:
537 | from_secret: testing_aws_access_key_id
538 | TESTING_AWS_SECRET_ACCESS_KEY:
539 | from_secret: testing_aws_secret_access_key
540 | commands:
541 | - dapper -f Dockerfile.centos7.dapper ./policy/centos9/scripts/upload-repo
542 | volumes:
543 | - name: docker
544 | path: /var/run/docker.sock
545 | when:
546 | instance:
547 | - drone-publish.k3s.io
548 | ref:
549 | - refs/head/master
550 | - refs/tags/*
551 | event:
552 | - tag
553 |
554 | - name: GitHub Release EL9
555 | image: plugins/github-release
556 | settings:
557 | api_key:
558 | from_secret: github_token
559 | prerelease: true
560 | checksum:
561 | - sha256
562 | checksum_file: CHECKSUMsum-centos9-noarch.txt
563 | checksum_flatten: true
564 | files:
565 | - "dist/centos9/**/*.rpm"
566 | when:
567 | instance:
568 | - drone-publish.k3s.io
569 | ref:
570 | - refs/head/master
571 | - refs/tags/*
572 | event:
573 | - tag
574 |
575 | volumes:
576 | - name: docker
577 | host:
578 | path: /var/run/docker.sock
--------------------------------------------------------------------------------