Skip to content

Commit

Permalink
Merge branch 'rancher:main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
@bbaumgartl
bbaumgartl committed Oct 12, 2023
2 parents ab27f36 + 814fb97 commit a691977
Show file tree
Hide file tree
Showing 7 changed files with 52 additions and 22 deletions.
10 changes: 5 additions & 5 deletions .drone.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ platform:

steps:
- name: Build EL7
image: rancher/dapper:v0.5.2
image: rancher/dapper:v0.6.0
commands:
- dapper -f Dockerfile.centos7.dapper policy/centos7/scripts/build
volumes:
Expand Down Expand Up @@ -98,15 +98,15 @@ platform:

steps:
- name: Build EL8
image: rancher/dapper:v0.5.2
image: rancher/dapper:v0.6.0
commands:
- dapper -f Dockerfile.centos8.dapper policy/centos8/scripts/build
volumes:
- name: docker
path: /var/run/docker.sock

- name: Sign RPM EL8
image: centos:7
image: quay.io/centos/centos:stream8
environment:
PRIVATE_KEY:
from_secret: private_key
Expand All @@ -128,7 +128,7 @@ steps:
- tag

- name: Yum Repo Upload EL8
image: centos:7
image: quay.io/centos/centos:stream8
environment:
AWS_S3_BUCKET:
from_secret: aws_s3_bucket
Expand Down Expand Up @@ -188,7 +188,7 @@ platform:

steps:
- name: Build MicroOS
image: rancher/dapper:v0.5.2
image: rancher/dapper:v0.6.0
commands:
- dapper -f Dockerfile.microos.dapper policy/microos/scripts/build
volumes:
Expand Down
9 changes: 9 additions & 0 deletions .github/renovate.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"extends": [
"github>rancher/renovate-config#release"
],
"baseBranches": [
"main"
],
"prHourlyLimit": 2
}
25 changes: 25 additions & 0 deletions .github/workflows/renovate.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: Renovate
on:
workflow_dispatch:
inputs:
logLevel:
description: "Override default log level"
required: false
default: "info"
type: string
overrideSchedule:
description: "Override all schedules"
required: false
default: "false"
type: string
# Run twice in the early morning (UTC) for initial and follow up steps (create pull request and merge)
schedule:
- cron: '30 4,6 * * *'

jobs:
call-workflow:
uses: rancher/renovate-config/.github/workflows/renovate.yml@release
with:
logLevel: ${{ inputs.logLevel || 'info' }}
overrideSchedule: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }}
secrets: inherit
1 change: 1 addition & 0 deletions CODEOWNERS
View file
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* @rancher/rancher-security
11 changes: 2 additions & 9 deletions Dockerfile.centos8.dapper
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,6 @@
FROM centos:8
FROM quay.io/centos/centos:stream8

# CentOS 8 has reached EOL: https://www.centos.org/centos-linux-eol/
# Therefore, we need to switch the mirrorlist for the appstream repo
#
# point to vault.epel.cloud
# https://serverfault.com/questions/1093922/failing-to-run-yum-update-in-centos-8/1093928#1093928
RUN pushd /etc/yum.repos.d/ && sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-* && sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.epel.cloud|g' /etc/yum.repos.d/CentOS-* && popd

RUN yum install -y epel-release && yum -y install container-selinux selinux-policy-devel yum-utils rpm-build git jq
RUN yum install -y epel-release && yum -y install container-selinux selinux-policy-devel yum-utils rpm-build git

ENV DAPPER_SOURCE /source
ENV DAPPER_OUTPUT ./dist
Expand Down
9 changes: 5 additions & 4 deletions policy/centos8/rancher.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ policy_module(rancher, 1.0.0)

gen_require(`
type container_runtime_t, unconfined_service_t;
type container_file_t;
')

########################
Expand All @@ -14,7 +15,7 @@ gen_require(`
class file { getaddr open read };
class lnk_file { getattr read };
')
container_domain_template(rke_kubereader)
container_domain_template(rke_kubereader, container)
virt_sandbox_domain(rke_kubereader_t)
corenet_unconfined(rke_kubereader_t)
allow rke_kubereader_t kubernetes_file_t:dir { open read search };
Expand All @@ -33,7 +34,7 @@ gen_require(`
class file { open read };
class lnk_file { getattr read };
')
container_domain_template(rke_logreader)
container_domain_template(rke_logreader, container)
virt_sandbox_domain(rke_logreader_t)
corenet_unconfined(rke_logreader_t)
allow rke_logreader_t container_log_t:dir { open read search };
Expand All @@ -60,7 +61,7 @@ gen_require(`
')
type rke_opt_t;
files_type(rke_opt_t)
container_domain_template(rke_container)
container_domain_template(rke_container, container)
virt_sandbox_domain(rke_container_t)
corenet_unconfined(rke_container_t)
manage_dirs_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
Expand Down Expand Up @@ -92,7 +93,7 @@ gen_require(`
type var_run_t;
type kernel_t;
')
container_domain_template(rke_network)
container_domain_template(rke_network, container)
virt_sandbox_domain(rke_network_t)
corenet_unconfined(rke_network_t)
manage_dirs_pattern(rke_network_t, iptables_var_run_t, iptables_var_run_t)
Expand Down
9 changes: 5 additions & 4 deletions policy/microos/rancher.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ policy_module(rancher, 1.0.0)

gen_require(`
type container_runtime_t, unconfined_service_t;
type container_file_t;
')

########################
Expand All @@ -14,7 +15,7 @@ gen_require(`
class file { getaddr open read };
class lnk_file { getattr read };
')
container_domain_template(rke_kubereader)
container_domain_template(rke_kubereader, container)
virt_sandbox_domain(rke_kubereader_t)
corenet_unconfined(rke_kubereader_t)
allow rke_kubereader_t kubernetes_file_t:dir { open read search };
Expand All @@ -33,7 +34,7 @@ gen_require(`
class file { open read };
class lnk_file { getattr read };
')
container_domain_template(rke_logreader)
container_domain_template(rke_logreader, container)
virt_sandbox_domain(rke_logreader_t)
corenet_unconfined(rke_logreader_t)
allow rke_logreader_t container_log_t:dir { open read search };
Expand All @@ -60,7 +61,7 @@ gen_require(`
')
type rke_opt_t;
files_type(rke_opt_t)
container_domain_template(rke_container)
container_domain_template(rke_container, container)
virt_sandbox_domain(rke_container_t)
corenet_unconfined(rke_container_t)
manage_dirs_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
Expand Down Expand Up @@ -92,7 +93,7 @@ gen_require(`
type var_run_t;
type kernel_t;
')
container_domain_template(rke_network)
container_domain_template(rke_network, container)
virt_sandbox_domain(rke_network_t)
corenet_unconfined(rke_network_t)
manage_dirs_pattern(rke_network_t, iptables_var_run_t, iptables_var_run_t)
Expand Down

0 comments on commit a691977

Please sign in to comment.