Skip to content

Commit 7a269fd

Browse files
mysticaltechmysticaltech
authored
Merge pull request #1302 from kube-hetzner/various-fixes
Various fixes
2 parents b2a93e2 + 4a96be7 commit 7a269fd

File tree

1 file changed

+39
-36
lines changed

1 file changed

+39
-36
lines changed

locals.tf

Lines changed: 39 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,6 @@ locals {
7272
kustomization_backup_yaml = yamlencode({
7373
apiVersion = "kustomize.config.k8s.io/v1beta1"
7474
kind = "Kustomization"
75-
7675
resources = concat(
7776
[
7877
"https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/download/${local.ccm_version}/ccm-networks.yaml",
@@ -99,6 +98,20 @@ locals {
9998
}
10099
patch = file("${path.module}/kustomize/system-upgrade-controller.yaml")
101100
},
101+
{
102+
target = {
103+
group = "apps"
104+
version = "v1"
105+
kind = "Deployment"
106+
name = "system-upgrade-controller"
107+
namespace = "system-upgrade"
108+
}
109+
patch = <<-EOF
110+
- op: replace
111+
path: /spec/template/spec/containers/0/image
112+
value: rancher/system-upgrade-controller:v0.13.4
113+
EOF
114+
},
102115
{
103116
path = "kured.yaml"
104117
},
@@ -790,25 +803,25 @@ EOF
790803
module kube_hetzner_selinux 1.0;
791804
792805
require {
793-
type kernel_t, bin_t, kernel_generic_helper_t, iscsid_t, iscsid_exec_t, var_run_t, var_lib_t,
794-
init_t, unlabeled_t, systemd_logind_t, systemd_hostnamed_t, container_t,
795-
cert_t, container_var_lib_t, etc_t, usr_t, container_file_t, container_log_t,
796-
container_share_t, container_runtime_exec_t, container_runtime_t, var_log_t, proc_t, io_uring_t, fuse_device_t, http_port_t,
797-
container_var_run_t;
798-
class key { read view };
799-
class file { open read execute execute_no_trans create link lock rename write append setattr unlink getattr watch };
800-
class sock_file { watch write create unlink };
801-
class unix_dgram_socket create;
802-
class unix_stream_socket { connectto read write };
803-
class dir { add_name create getattr link lock read rename remove_name reparent rmdir setattr unlink search write watch };
804-
class lnk_file { read create };
805-
class system module_request;
806-
class filesystem associate;
807-
class bpf map_create;
808-
class io_uring sqpoll;
809-
class anon_inode { create map read write };
810-
class tcp_socket name_connect;
811-
class chr_file { open read write };
806+
type kernel_t, bin_t, kernel_generic_helper_t, iscsid_t, iscsid_exec_t, var_run_t, var_lib_t,
807+
init_t, unlabeled_t, systemd_logind_t, systemd_hostnamed_t, container_t,
808+
cert_t, container_var_lib_t, etc_t, usr_t, container_file_t, container_log_t,
809+
container_share_t, container_runtime_exec_t, container_runtime_t, var_log_t, proc_t, io_uring_t, fuse_device_t, http_port_t,
810+
container_var_run_t;
811+
class key { read view };
812+
class file { open read execute execute_no_trans create link lock rename write append setattr unlink getattr watch };
813+
class sock_file { watch write create unlink };
814+
class unix_dgram_socket create;
815+
class unix_stream_socket { connectto read write };
816+
class dir { add_name create getattr link lock read rename remove_name reparent rmdir setattr unlink search write watch };
817+
class lnk_file { read create };
818+
class system module_request;
819+
class filesystem associate;
820+
class bpf map_create;
821+
class io_uring sqpoll;
822+
class anon_inode { create map read write };
823+
class tcp_socket name_connect;
824+
class chr_file { open read write };
812825
}
813826
814827
#============= kernel_generic_helper_t ==============
@@ -822,7 +835,7 @@ EOF
822835
allow iscsid_t var_run_t:unix_stream_socket connectto;
823836
824837
#============= init_t ==============
825-
allow init_t unlabeled_t:dir { add_name remove_name rmdir };
838+
allow init_t unlabeled_t:dir { add_name remove_name rmdir search };
826839
allow init_t unlabeled_t:lnk_file create;
827840
allow init_t container_t:file { open read };
828841
allow init_t container_file_t:file { execute execute_no_trans };
@@ -836,36 +849,25 @@ EOF
836849
allow systemd_hostnamed_t unlabeled_t:dir search;
837850
838851
#============= container_t ==============
839-
# Basic file and directory operations for specific types
840-
allow container_t cert_t:dir read;
841-
allow container_t cert_t:lnk_file read;
852+
allow container_t { cert_t container_log_t }:dir read;
853+
allow container_t { cert_t container_log_t }:lnk_file read;
842854
allow container_t cert_t:file { read open };
843855
allow container_t container_var_lib_t:file { create open read write rename lock setattr getattr unlink };
844856
allow container_t etc_t:dir { add_name remove_name write create setattr watch };
845857
allow container_t etc_t:file { create setattr unlink write };
846858
allow container_t etc_t:sock_file { create unlink };
847859
allow container_t usr_t:dir { add_name create getattr link lock read rename remove_name reparent rmdir setattr unlink search write };
848860
allow container_t usr_t:file { append create execute getattr link lock read rename setattr unlink write };
849-
850-
# Additional rules for container_t
851861
allow container_t container_file_t:file { open read write append getattr setattr };
852862
allow container_t container_file_t:sock_file watch;
853863
allow container_t container_log_t:file { open read write append getattr setattr watch };
854-
allow container_t container_log_t:dir read;
855864
allow container_t container_share_t:dir { read write add_name remove_name };
856865
allow container_t container_share_t:file { read write create unlink };
857866
allow container_t container_runtime_exec_t:file { read execute execute_no_trans open };
858867
allow container_t container_runtime_t:unix_stream_socket { connectto read write };
859868
allow container_t kernel_t:system module_request;
860-
allow container_t container_log_t:dir { read watch };
861-
allow container_t container_log_t:file { open read watch };
862-
allow container_t container_log_t:lnk_file read;
863-
allow container_t var_log_t:dir { add_name write };
864-
allow container_t var_log_t:file { create lock open read setattr write };
865-
allow container_t var_log_t:dir remove_name;
866-
allow container_t var_log_t:file unlink;
867-
allow container_t var_log_t:dir { watch read remove_name };
868-
allow container_t var_log_t:file getattr;
869+
allow container_t var_log_t:dir { add_name write remove_name watch read };
870+
allow container_t var_log_t:file { create lock open read setattr write unlink getattr };
869871
allow container_t var_lib_t:dir { add_name write read };
870872
allow container_t var_lib_t:file { create lock open read setattr write getattr };
871873
allow container_t proc_t:filesystem associate;
@@ -948,3 +950,4 @@ EOT
948950
- [truncate, '-s', '0', '/var/log/audit/audit.log']
949951
EOT
950952
}
953+

0 commit comments

Comments
 (0)