SELinux support#
In MKE 4k, you can run both controller and worker nodes with SELinux enabled,
such as those on RHEL and Rocky Linux systems. Once you have enabled SELinux on
all of the nodes, the mkectl apply command automatically configures file
contexts and containerd to ensure that k0s runs correctly under SELinux, with no
additional configuration required.
Prerequisites#
For SELinux, you must satisfy the following prerequisites for all nodes, controllers and workers:
-
SELinux is enabled
-
The following tools, which are standard on all RHEL-based systems with the
policycoreutilsandpolicycoreutils-python-utilsutilities:- sestatus
- semanage
- restorecon
-
Working
yum/dnfand access to repositories that providecontainer-selinux, which is standard on all RHEL-based distros. -
SSH access with sudo privileges, to allow the CLI to run required commands and restart the k0s worker service as needed.
Platform behavior#
The following table describes SELinux platform scenarios and expected behaviors, as supported by MKE 4k.
| Platform scenarios | Behavior |
|---|---|
| SELinux-enabled systems, such as RHEL and Rocky Linux | If all nodes report SELinux as enabled (sestatus → "SELinux status: enabled"), the mkectl apply command:
|
| Non–SELinux systems, such as Ubuntu | If any node does not have SELinux enabled, or does not have sestatus, the mkectl apply command skips all SELinux steps. No labels are applied and containerd is not changed for SELinux. |
| Mixed nodes | Not supported |
| Container Network Interfaces (CNIs) | CNIs other than Calico are not supported. |
| Dry run | Dry-run only reports whether SELinux labeling will run, based on detection; it does not perform or simulate the actual semanage/restorecon/containerd changes. |
Note
When you install MKE 4k with SELinux enabled on a fresh cluster
using the initial mkectl apply command, the apply SELinux labels process
can take up to 20 minutes to complete.