SELinux

RKE2 can be run on SELinux-enabled systems which is the default when installed on CentOS/RHEL 7 & 8. The policy supporting this is a specialization of the container-selinux policy for containerd. It accounts for the non-standard location(s) which containerd is installed and places persistent and ephemeral state.

In some circumstances, a reboot of the node may be required after installing the rke2-selinux package and before starting the rke2 service. If you encounter denials in your selinux audit log despite installation of the rke2-selinux and container-selinux packages, please reboot the node.

Custom Context Labels

RKE2 runs control-plane services as static pods which require access to multiple container_var_lib_t locations. The etcd container must be able to read-write under /var/lib/rancher/rke2/server/db and read, along with kube-apiserver, kube-controller-manager, and kube-scheduler, from /var/lib/rancher/rke2/server/tls. To make this work without over-privileging, e.g., spc_t, the RKE2 SELinux policy introduces the rke2_service_db_t and rke2_service_t context labels for read-write and read-only access, respectively. These labels will only be applied to the RKE2 control-plane static pods.

Configuration

RKE2 support for SELinux amounts to a single configuration item, the --selinux boolean flag. This is a pass-through to the enable_selinux boolean in the cri section of the containerd/cri toml. If RKE2 was installed via tarball then SELinux will not be enabled without additional configuration. The recommended method to configure such is via an entry in the RKE2 config.yaml, e.g.:

# /etc/rancher/rke2/config.yaml is the default location
selinux: true

This is equivalent to passing the --selinux flag to rke2 server or rke2 agent command-line or setting the RKE2_SELINUX=true environment variable.