-
Notifications
You must be signed in to change notification settings - Fork 521
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubevirt fails to run on bottlerocket #4229
Comments
Could you please check journal logs on the node for an AVC denial to debug what process is causing this? As for the container-selinux types, the Bottlerocket selinux policies are defined here: https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/packages/selinux-policy. We do include |
But regarding this error:
I would not expect this to work, which is probably where the Maybe |
@ginglis13
@bcressey I've tried untoggling privileged but that results in the pod not starting at all.
Maybe there is there a set of security settings that are equivalent to privileged that I could use in conjunction with the This is where the relabel is being done: I don't know why the error mentions
|
Image I'm using:
OS Image: Bottlerocket OS 1.24.0 (aws-k8s-1.28)
Operating System: linux
Architecture: amd64
Container Runtime Version: containerd://1.7.22+bottlerocket
Kubelet Version: v1.28.10-eks-890c2ac
Kube-Proxy Version: v1.28.10-eks-890c2ac
What I expected to happen:
I am trying to setup kubevirt 1.3.1 on EKS with bottlerocket.
What actually happened:
There's one kubevirt component that is currently failing to start:
This kubevirt component is managed by a DaemonSet. It was running with
I've changed it to
But it made no difference.
Kubevirt install docs mention that it requires container-selinux installed. I'm trying to figure out if bottlerocket has it, but it's unclear to me. I checked the bottlerocket node via the admin-container and can't see the
container_file_t
type.I found this PR that hints that bottlerocket does have container-selinux installed though. Or is it that bottlerocket used names that matches the ones that container-selinux uses, but are different types?
Given that the DaemonSet is running in privileged mode with
super_t
as type the problem then must be that Bottlerocket does not have container-selinux types installed, right?Is this case, is my only option to build my own bottlerocket image with this dependency included?
How to reproduce the problem:
Install kubevirt on a bottlerocket node.
The text was updated successfully, but these errors were encountered: