From 6fa60172dfff997ad8bde64d1b3ded3570bb949d Mon Sep 17 00:00:00 2001
From: Adrien Reslinger <adrien@reslinger.net>
Date: Sun, 31 Jan 2021 14:19:00 +0100
Subject: [PATCH] Add selinux for k3s

---
 tasks/cluster_k3s.yml                       | 16 ++++++++++++++++
 templates/etc/systemd/system/k3s.service.j2 |  6 +++---
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml
index 9318b77..cb4e527 100644
--- a/tasks/cluster_k3s.yml
+++ b/tasks/cluster_k3s.yml
@@ -5,6 +5,22 @@
 #  when:
 #    - kubernetes_cni == "wireguard"
 
+- name: Install the k3s-selinux rpm from a remote repo for yum distro
+  yum:
+    name: "https://github.com/k3s-io/k3s-selinux/releases/download/v0.2.stable.1/k3s-selinux-0.2-1.el7_8.noarch.rpm"
+    state: present
+    disable_gpg_check: yes
+  when:
+    - ansible_pkg_mgr == "yum"
+
+- name: Install the k3s-selinux rpm from a remote repo for dnf distro
+  dnf:
+    name: "https://github.com/k3s-io/k3s-selinux/releases/download/v0.2.stable.1/k3s-selinux-0.2-1.el7_8.noarch.rpm"
+    state: present
+    disable_gpg_check: yes
+  when:
+    - ansible_pkg_mgr == "dnf"
+
 - name: Check if /usr/local/bin/k3s already existe
   stat:
     path: /usr/local/bin/k3s
diff --git a/templates/etc/systemd/system/k3s.service.j2 b/templates/etc/systemd/system/k3s.service.j2
index 0ac1a83..03f00a5 100644
--- a/templates/etc/systemd/system/k3s.service.j2
+++ b/templates/etc/systemd/system/k3s.service.j2
@@ -8,12 +8,12 @@ Type=notify
 EnvironmentFile=/etc/systemd/system/k3s.service.env
 {% if kubernetes_master|bool %}
 {% if vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %}
-ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --cluster-init
+ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --cluster-init --selinux
 {% else %}
-ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN}
+ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN} --selinux
 {% endif %}
 {% else %}
-ExecStart=/usr/local/bin/k3s agent --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN}
+ExecStart=/usr/local/bin/k3s agent --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN} --selinux
 {% endif %}
 KillMode=process
 Delegate=yes