fix(system-upgrades): Deploy SELinux hotfix for iscsid

This patch fixes issues currently faced by longhorn, where the SELinux policy denies a DAC_override for iscsid. Since I couldn't find on what file it even tries to do this override, for now, this override to fix unmountable volumes.

fix(system-upgrades): Deploy SELinux hotfix for iscsid
e122a607 · Sheogorath · f313f05a · e122a607
Verified Commit e122a607 authored 2 years ago by Sheogorath
--- a/clusters/k8s01/system-upgrades/iscsid_hotfix.yaml
+++ b/clusters/k8s01/system-upgrades/iscsid_hotfix.yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: fedora-install-iscsi-hotfix
+  namespace: system-upgrade
+type: Opaque
+stringData:
+  iscsid_hotfix.te: |
+    module iscsid_hotfix 1.0;
+    require {
+    	type iscsid_t;
+    	class capability dac_override;
+    }
+    #============= iscsid_t ==============
+    allow iscsid_t self:capability dac_override;
+  install.sh: |
+    #!/bin/sh
+    set -e
+    set -x
+    secrets="$(dirname $0)"
+    semodule_dir="$(mktemp -d)"
+    systemd-run --same-dir --wait --collect --service-type=exec dnf install -y selinux-policy-devel
+    systemd-run --same-dir --wait --collect --service-type=exec checkmodule -M -m -o "${semodule_dir}/iscsid_hotfix.mod" "$secrets/iscsid_hotfix.te"
+    systemd-run --same-dir --wait --collect --service-type=exec semodule_package -o "${semodule_dir}/iscsid_hotfix.pp" "${semodule_dir}/iscsid_hotfix.mod"
+    systemd-run --same-dir --wait --collect --service-type=exec semodule -i "${semodule_dir}/iscsid_hotfix.pp"
+---
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: fedora-iscsi-hotfix
+  namespace: system-upgrade
+spec:
+  concurrency: 1
+  nodeSelector:
+    matchExpressions:
+      - key: feature.node.kubernetes.io/system-os_release.ID
+        operator: In
+        values:
+          - fedora
+      - key: feature.node.kubernetes.io/system-os_release.VERSION_ID.major
+        operator: In
+        values:
+          - "35"
+          - "36"
+          - "37"
+  serviceAccountName: system-upgrade
+  secrets:
+    - name: fedora-install-iscsi-hotfix
+      path: /host/run/system-upgrade/secrets/fedora
+  version: 1.0.0
+  upgrade:
+    image: quay.io/fedora/fedora:36
+    command: ["chroot", "/host"]
+    args: ["sh", "/run/system-upgrade/secrets/fedora/install.sh"]