kubernetes: allow kubelet to connect all TCP ports

For pod health checks. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
author: Kenton Groombridge <concord@gentoo.org> 2024-08-16 14:36:06 -0400
committer: Jason Zaman <perfinion@gentoo.org> 2024-09-21 15:28:29 -0700
commit: d677a6374ad09c7af0b615a291f9ccb3c12f2432 (patch)
tree: 4b8605948b97b9888b370692370d0923bcbf1365
parent: container: allow reading generic certs (diff)
download: hardened-refpolicy-d677a6374ad09c7af0b615a291f9ccb3c12f2432.tar.gz
hardened-refpolicy-d677a6374ad09c7af0b615a291f9ccb3c12f2432.tar.bz2
hardened-refpolicy-d677a6374ad09c7af0b615a291f9ccb3c12f2432.zip
1 files changed, 1 insertions, 3 deletions
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 38b3a545e..99e76d2e9 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -249,10 +249,8 @@ fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file })
 
 corenet_tcp_bind_generic_node(kubelet_t)
 
-corenet_tcp_connect_http_port(kubelet_t)
 corenet_tcp_bind_kubernetes_port(kubelet_t)
-corenet_tcp_connect_kubernetes_port(kubelet_t)
-corenet_tcp_connect_all_unreserved_ports(kubelet_t)
+corenet_tcp_connect_all_ports(kubelet_t)
 
 corecmd_exec_bin(kubelet_t)
 corecmd_watch_bin_dirs(kubelet_t)
author	Kenton Groombridge <concord@gentoo.org>	2024-08-16 14:36:06 -0400
committer	Jason Zaman <perfinion@gentoo.org>	2024-09-21 15:28:29 -0700
commit	d677a6374ad09c7af0b615a291f9ccb3c12f2432 (patch)
tree	4b8605948b97b9888b370692370d0923bcbf1365
parent	container: allow reading generic certs (diff)
download	hardened-refpolicy-d677a6374ad09c7af0b615a291f9ccb3c12f2432.tar.gz hardened-refpolicy-d677a6374ad09c7af0b615a291f9ccb3c12f2432.tar.bz2 hardened-refpolicy-d677a6374ad09c7af0b615a291f9ccb3c12f2432.zip