第 5 章 Additional security privileges granted for kubevirt-controller and virt-launcher
The kubevirt-controller and virt-launcher Pods are granted some SELinux policies and Security Context Constraints privileges that are in addition to typical Pod owners. These privileges enable virtual machines to use OpenShift Virtualization features.
5.1. Extended SELinux policies for virt-launcher pods
The container_t SELinux policy for virt-launcher pods is extended with the following rules:
-
allow process self (tun_socket (relabelfrom relabelto attach_queue)) -
allow process sysfs_t (file (write)) -
allow process hugetlbfs_t (dir (add_name create write remove_name rmdir setattr)) -
allow process hugetlbfs_t (file (create unlink))
These rules enable the following virtualization features:
- Relabel and attach queues to its own TUN sockets, which is required to support network multi-queue. Multi-queue enables network performance to scale as the number of available vCPUs increases.
-
Allows virt-launcher pods to write information to sysfs (
/sys) files, which is required to enable Single Root I/O Virtualization (SR-IOV). -
Read/write
hugetlbfsentries, which is required to support huge pages. Huge pages are a method of managing large amounts of memory by increasing the memory page size.
