Update readme about nri.sock and SELinux#219
Open
ngopalak-redhat wants to merge 1 commit intocontainerd:mainfrom
Open
Update readme about nri.sock and SELinux#219ngopalak-redhat wants to merge 1 commit intocontainerd:mainfrom
ngopalak-redhat wants to merge 1 commit intocontainerd:mainfrom
Conversation
Signed-off-by: Neeraj Krishna Gopalakrishna <ngopalak@redhat.com>
mikebrow
reviewed
Sep 10, 2025
Member
mikebrow
left a comment
mikebrow
left a comment
There was a problem hiding this comment.
suggest adding a couple sentences that describes the expected error that will get generated and what the problem is... volume mounting a host level socket between the pod and the container runtime..
This way seems like a big hammer.. is there any other way to make it work? selinux mount label maybe?
| and [best practices](https://kubernetes.io/docs/setup/best-practices/enforcing-pod-security-standards/) | ||
| about Kubernetes security. | ||
|
|
||
| To use the plugins in SELinux-enabled environments, either create a new policy |
Member
There was a problem hiding this comment.
Suggested change
| To use the plugins in SELinux-enabled environments, either create a new policy | |
| One expected path for running NRI plugins is to run them as a pod/container in a daemonset on each of the nodes of a cluster. | |
| ### SELinux enabled environments | |
| NOTE: To run the plugins, as a pod, in `SELinux-enabled` environments the kubernetes security level assigned to the pod MUST |
pod security policies have been deprecated .. they've become levels assigned or via controller.. it's confusing :-)
| about Kubernetes security. | ||
|
|
||
| To use the plugins in SELinux-enabled environments, either create a new policy | ||
| or set the SELinux type to spc_t (Super Privileged Container) in the pod's security |
Member
There was a problem hiding this comment.
Suggested change
| or set the SELinux type to spc_t (Super Privileged Container) in the pod's security | |
| set the SELinux type label to spc_t (Super Privileged Container) in the pod's security |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In environments like OpenShift, its required to configure SELinux in security context. Hence added a small readme update.