feat: avoid setting privileged flag if seLinuxOptions is not null (#599)

Sets the privileged flag to false if SELinuxOptions are present/defined. This is needed because containerd treats SELinux and Privileged controls as mutually exclusive. Also see https://github.com/containerd/cri/blob/aa2d5a97c/pkg/server/container_create.go#L164. This allows users who use SELinux for managing privileged processes to use GH Actions - otherwise, based on the SELinux policy, the Docker in Docker container might not be privileged enough. Signed-off-by: Jonah Back <jonah@jonahback.com> Co-authored-by: Yusuke Kuoka <ykuoka@gmail.com>
2025-12-11 03:57:01 +00:00 · 2021-06-03 16:59:11 -07:00
parent a93fd21f21
commit 8c42f99d0b
2 changed files with 27 additions and 6 deletions
--- a/README.md
+++ b/README.md
@@ -728,6 +728,16 @@ spec:
    spec:
      nodeSelector:
        node-role.kubernetes.io/test: ""
+      
+      securityContext:
+        #All level/role/type/user values will vary based on your SELinux policies.
+        #See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy for information about SELinux with containers
+        seLinuxOptions: 
+          level: "s0"
+          role: "system_r"
+          type: "super_t"
+          user: "system_u"
+          
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/test