commit: d677a6374ad09c7af0b615a291f9ccb3c12f2432
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 16 18:36:06 2024 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d677a637
kubernetes: allow kubelet to connect all TCP ports
For pod health checks.
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/kubernetes.te | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/policy/modules/services/kubernetes.te
b/policy/modules/services/kubernetes.te
index 38b3a545e..99e76d2e9 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -249,10 +249,8 @@ fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir
file lnk_file })
corenet_tcp_bind_generic_node(kubelet_t)
-corenet_tcp_connect_http_port(kubelet_t)
corenet_tcp_bind_kubernetes_port(kubelet_t)
-corenet_tcp_connect_kubernetes_port(kubelet_t)
-corenet_tcp_connect_all_unreserved_ports(kubelet_t)
+corenet_tcp_connect_all_ports(kubelet_t)
corecmd_exec_bin(kubelet_t)
corecmd_watch_bin_dirs(kubelet_t)
