crio, kubernetes: allow k8s admins to run CRI-O

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2022-05-17 11:14:43 -04:00
parent 12590a88d6
commit 16a928df4e
2 changed files with 83 additions and 0 deletions

View File

@ -1 +1,80 @@
## <summary>policy for cri-o</summary>
#######################################
## <summary>
## Execute CRI-O in the crio domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`crio_domtrans',`
gen_require(`
type crio_t, crio_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, crio_exec_t, crio_t)
')
########################################
## <summary>
## Execute CRI-O in the crio domain,
## and allow the specified role the
## kubelet domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the crio domain.
## </summary>
## </param>
#
interface(`crio_run',`
gen_require(`
type crio_t;
')
role $2 types crio_t;
crio_domtrans($1)
')
#######################################
## <summary>
## All of the rules required to administrate
## a CRI-O environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`crio_admin',`
gen_require(`
type crio_t;
type crio_conmon_t;
')
allow $1 crio_t:process { ptrace signal_perms };
ps_process_pattern($1, crio_t)
allow $1 crio_conmon_t:process { ptrace signal_perms };
ps_process_pattern($1, crio_conmon_t)
# no private type for crictl, so connect directly
container_stream_connect_system_engine($1)
')

View File

@ -382,4 +382,8 @@ interface(`kubernetes_admin',`
logging_search_logs($1)
admin_pattern($1, kubernetes_log_t)
optional_policy(`
crio_admin($1, $2)
')
')