Fixes for container network creation.

This commit is contained in:
Jeroen Rijken 2022-07-19 14:48:57 +02:00 committed by Alex
parent 3e006e3c76
commit c84455cca4
3 changed files with 13 additions and 0 deletions

View File

@ -10,6 +10,9 @@ include <tunables/global>
profile cni-calico @{exec_path} flags=(attach_disconnected) { profile cni-calico @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
capability sys_admin,
capability net_admin,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
@ -19,6 +22,8 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{exec_path}-ipam rix, @{exec_path}-ipam rix,
/ r,
/etc/cni/net.d/{,**} r, /etc/cni/net.d/{,**} r,
/var/lib/calico/{,**} r, /var/lib/calico/{,**} r,
@ -29,6 +34,8 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
@{run}/calico/ipam.lock rwk, @{run}/calico/ipam.lock rwk,
@{run}/netns/cni-@{uuid} r, @{run}/netns/cni-@{uuid} r,
/proc/sys/net/ipv4/ip_forward rw,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
include if exists <local/cni-calico> include if exists <local/cni-calico>

View File

@ -10,6 +10,9 @@ include <tunables/global>
profile cni-loopback @{exec_path} flags=(attach_disconnected) { profile cni-loopback @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
capability sys_admin,
capability net_admin,
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,

View File

@ -18,6 +18,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
capability dac_read_search, capability dac_read_search,
capability dac_override, capability dac_override,
capability fsetid, capability fsetid,
capability fowner,
capability net_admin, capability net_admin,
capability sys_admin, capability sys_admin,
@ -58,8 +59,10 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
/opt/containerd/{,**} rw, /opt/containerd/{,**} rw,
/var/lib/cni/{,**/} w,
/var/lib/cni/results/cni-loopback-@{uuid}-lo wl, /var/lib/cni/results/cni-loopback-@{uuid}-lo wl,
/var/lib/cni/results/cni-loopback-[0-9a-f]*-lo wl, /var/lib/cni/results/cni-loopback-[0-9a-f]*-lo wl,
/var/lib/cni/results/k8s-pod-network-[0-9a-f]*-eth0
/var/lib/containerd/{,**} rwk, /var/lib/containerd/{,**} rwk,
/var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l, /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l,
/var/lib/docker/containerd/{,**} rwk, /var/lib/docker/containerd/{,**} rwk,