From 8d124251dc8aeadccf243b08d2154a3fc5aa4fbb Mon Sep 17 00:00:00 2001 From: Andy Pitcher Date: Tue, 6 May 2025 23:36:17 +0200 Subject: [PATCH] Add coverage and support matrix --- README.md | 43 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 128eb90..bc54f96 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,34 @@ -# rancher-selinux -Rancher selinux policy repository +# About rancher-selinux + +`rancher-selinux` contains a set of SELinux policies designed to grant the necessary privileges to various Rancher components running on Linux systems with SELinux enabled. These policies enhance security by defining dedicated types for containers and assigning them the least privileges possible. + +For more information about enabling SELinux on Rancher or installing the rancher-selinux RPM, use: https://ranchermanager.docs.rancher.com/reference-guides/rancher-security/selinux-rpm/about-rancher-selinux + +## Coverage of rancher-selinux + +The following Rancher compnents are covered by the policy: + +| Component | Service/Container | SELinux Type | +| :------------------------- | :----------------------------------------------------------------------- | :--------------------- | +| Rancher Monitoring Chart | [node-exporter] | `prom_node_exporter_t` | +| Rancher Monitoring Chart | [pushprox] | `rke_kubereader_t` | +| Rancher Logging Chart | [fluentbit] | `rke_logreader_t` | +| RKE1 | [flannel] | `rke_network_t` | +| RKE1 | [rke] `etcd`, `rke-etcd-backup`, `kube-{apiserver,controller,scheduler}` | `rke_container_t` | + + +## Support Matrix + +| Operating System | Version | Supported | Policy | E2E | +| :--------------- | :------ | :----------------- | :--------- | :-------------------- | +| RHEL/Rocky | 8 | :white_check_mark: | [centos8] | :white_check_mark: | +| RHEL/Rocky | 9 | :white_check_mark: | [centos9] | :white_check_mark: | +| Fedora | 41 | :white_check_mark: | [fedora41] | :white_check_mark: | +| openSUSE MicroOS | Stable | :white_check_mark: | [microos] | :construction: | +| openSUSE Leap | N/A | :construction: | N/A | :construction: | +| SUSE Liberty | N/A | :construction: | N/A | :construction: | +| openSUSE SLE | N/A | :construction: | N/A | :construction: | +| Oracle Linux | N/A | :construction: | N/A | :construction: | ## Versioning/Tagging @@ -25,3 +54,13 @@ The following list shows the expected tag to (example) transformation for RPM's | v0.2-rc2.testing.1 | Clean | `rancher-selinux-0.2~rc2-1.el7.noarch.rpm` | Testing || | v0.2.testing.1 | Clean | `rancher-selinux-0.2-1.el7.noarch.rpm` | Testing || | v0.2.production.1 | Clean | `rancher-selinux-0.2-1.el7.noarch.rpm` | Production || + +[centos8]: https://github.com/rancher/rancher-selinux/tree/main/policy/centos8 +[centos9]: https://github.com/rancher/rancher-selinux/tree/main/policy/centos9 +[fedora41]: https://github.com/rancher/rancher-selinux/tree/main/policy/fedora41 +[microos]: https://github.com/rancher/rancher-selinux/tree/main/policy/microos +[fluentbit]: https://github.com/rancher/charts/blob/262597a41a175cfb4785d70fd76b33d56f8c1f95/charts/rancher-logging/106.0.1%2Bup4.10.0-rancher.4/templates/loggings/k3s/daemonset.yaml#L22 +[node-exporter]: https://github.com/rancher/charts/blob/262597a41a175cfb4785d70fd76b33d56f8c1f95/charts/rancher-monitoring/106.0.1%2Bup66.7.1-rancher.10/charts/prometheus-node-exporter/templates/daemonset.yaml#L51 +[flannel]: https://github.com/rancher/kontainer-driver-metadata/blob/34e1e8a7a157daae54b310b199aa663c9a2ef314/rke/templates/flannel_v0.14.0.go#L239 +[pushprox]: https://github.com/rancher/charts/tree/dev-v2.11/charts/rancher-monitoring/106.0.1%2Bup66.7.1-rancher.10/charts/rkeEtcd +[rke]: https://github.com/rancher/rke/blob/5756a3837a3c49d61f1ea2120b02149c21e4a443/hosts/hosts.go#L55