This page shows you how to secure your containers by enabling SELinux. SELinux is supported for RHEL and CentOS. If your host machines are running RHEL or CentOS and you want to enable SELinux for your cluster, you must enable SELinux in all of your host machines. Starting with GKE on Bare Metal release 1.9.0, you can enable or disable SELinux before or after cluster creation or cluster upgrades. When SELinux is enabled on the host, it is enabled for the container runtime.
Check if SELinux is enabled
SELinux is enabled on RHEL and CentOS by default. To verify, run:
$ getenforce
The command returns either Enforcing, Permissive, or Disabled. If the
command returns Enforcing, then you can proceed with upgrading or creating
your clusters.
Enable SELinux
If the getenforce command returns Permissive, you can switch to Enforcing
mode using the setenforce command. Toggling between Permissive and
Enforcing mode using setenforce doesn't require a system reboot. However, if
you want the changes to be persistent across reboots, you must update the
/etc/selinux/config file.
To switch to Enforcing mode, run:
$ sudo setenforce 1 # temporary
$ sudo sed -i 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config # persistent - after reboot
If SELinux is Disabled, to enable it, we recommend to first enable it in
Permissive mode first and reboot the system to verify that the system boots
successfully. If there are no SELinux errors, then you can safely switch SELinux
to Enforcing mode.
Optional: Enable SELinux in
Permissivemode:$ sudo sed -i 's/SELINUX=disabled/SELINUX=permissive/g' /etc/selinux/config $ sudo rebootIf the system reboots successfully with no SELinux errors, then you can enable
Enforcingmode:$ sudo sed -i 's/SELINUX=disabled/SELINUX=enforcing/g' /etc/selinux/config $ sudo reboot
Once SELinux is enabled in Enforcing mode, SELinux is enabled for all
processes on the host, including the container runtime.