[CPDEV-94365] Add support for RHEL9 family, SELinux

documentation/Installation.md

@@ -63,6 +63,7 @@ This section provides information about the inventory, features, and steps for i
     - [Admission pss](#admission-pss)
       - [Configuring Default Profiles](#configuring-default-profiles)
       - [Configuring Exemptions](#configuring-exemptions)
+      - [Application Prerequisites](#application-prerequisites)
     - [RBAC Accounts](#rbac-accounts)
       - [RBAC account_defaults](#rbac-account_defaults)
     - [Plugins](#plugins)
@@ -77,18 +78,18 @@ This section provides information about the inventory, features, and steps for i
         - [Plugins Installation Order](#plugins-installation-order)
         - [Node Selector](#node-selector)
         - [Tolerations](#tolerations)
-        - [Resources requets and limits](#resources-requests-and-limits)
+        - [Resources Requests and Limits](#resources-requests-and-limits)
       - [Custom Plugins Installation Procedures](#custom-plugins-installation-procedures)
         - [template](#template)
-        - [config](#config) 
+        - [config](#config)
         - [expect pods](#expect-pods)
         - [expect deployments/daemonsets/replicasets/statefulsets](#expect-deploymentsdaemonsetsreplicasetsstatefulsets)
         - [python](#python)
         - [thirdparty](#thirdparty)
         - [shell](#shell)
         - [ansible](#ansible)
         - [helm](#helm)
-  - [Advanced features](#advanced-features)
+  - [Advanced Features](#advanced-features)
     - [List Merge Strategy](#list-merge-strategy)
       - [Merge Strategy Positioning](#merge-strategy-positioning)
       - [List Merge Allowed Sections](#list-merge-allowed-sections)
@@ -164,10 +165,10 @@ For cluster machines, ensure the following requirements are met:
 
 * The following distributives and versions are supported:
 
-  * Centos 7.5+, 8.4
-  * RHEL 7.5+, 8.4, 8.6, 8.7
-  * Oracle Linux 7.5+, 8.4
-  * RockyLinux 8.6, 8.7
+  * Centos 7.5+, 8.4, 9
+  * RHEL 7.5+, 8.4, 8.6, 8.7, 8.8, 9.2
+  * Oracle Linux 7.5+, 8.4, 9.2
+  * RockyLinux 8.6, 8.7, 9.2
   * Ubuntu 20.04
   * Ubuntu 22.04.1
 
@@ -212,7 +213,7 @@ If you have other solution, remove or switch off the IP firewall before the inst
 
 * Installation of the following packages is highly recommended; however, Kubernetes can work without them, but may show warnings:
   * ethtool
-  * ebtables
+  * ebtables (included in the iptables-nft package which is available on systems like RHEL 9+)
   * socat
 
 **Warning**: You have to specify packages names in "RPM format" if it is possible for you OS,
@@ -3716,7 +3717,7 @@ The default configuration does not enforce the default policy to any of the pods
 
 Do not change the namespaces exemption list without strong necessary. In any case check our maintenance guide before any implementation.
 
-#### Application prerequisites
+#### Application Prerequisites
 
 In case of using PSS the application that installed in Kubernetes cluster should be matched with PSS profiles (`privileged`, 
 `baseline`, `restricted`). Those profiles may be set by labeling the namespace so as it described above for predefined plugins. 

kubemarine/admission.py

@@ -856,7 +856,7 @@ def update_finalized_inventory(cluster: KubernetesCluster, inventory_to_finalize
 
 
 def copy_pss(group: NodeGroup) -> Optional[RunnersGroupResult]:
-    if  group.cluster.inventory['rbac']['admission'] != "pss":
+    if group.cluster.inventory['rbac']['admission'] != "pss":
         return None
     if group.cluster.context.get('initial_procedure') == 'manage_pss':
         if not is_security_enabled(group.cluster.inventory) and \
@@ -875,15 +875,10 @@ def copy_pss(group: NodeGroup) -> Optional[RunnersGroupResult]:
                        .render(defaults=defaults,exemptions=exemptions)
 
     # put admission config on every control-planes
-    filename = uuid.uuid4().hex
-    remote_path = tmp_filepath_pattern % filename
-    group.cluster.log.debug("Copy admission config: %s, %s" % (remote_path, admission_path))
-    group.put(io.StringIO(admission_config), remote_path, backup=True, sudo=True)
-    group.sudo("mkdir -p %s" % admission_dir, warn=True)
-    result = group.sudo("cp %s %s" % (remote_path, admission_path), warn=True)
-    group.sudo("rm -f %s" % remote_path)
+    group.cluster.log.debug(f"Copy admission config to {admission_path}")
+    group.put(io.StringIO(admission_config), admission_path, backup=True, sudo=True, mkdir=True)
 
-    return result
+    return group.sudo(f'ls -la {admission_path}')
 
 
 def _get_default_labels(profile: str) -> Dict[str, str]:

kubemarine/core/cluster.py

@@ -215,7 +215,7 @@ def get_os_family_for_nodes(self, hosts: Iterable[str]) -> str:
         """
         Returns the detected operating system family for hosts.
 
-        :return: Detected OS family, possible values: "debian", "rhel", "rhel8", "multiple", "unknown", "unsupported".
+        :return: Detected OS family, possible values: "debian", "rhel", "rhel8", "rhel9", "multiple", "unknown", "unsupported".
         """
         os_families = {self.get_os_family_for_node(host) for host in hosts}
         if len(os_families) > 1:
@@ -230,7 +230,7 @@ def get_os_family(self) -> str:
         Returns common OS family name from all final remote hosts.
         The method can be used during enrichment when NodeGroups are not yet calculated.
 
-        :return: Detected OS family, possible values: "debian", "rhel", "rhel8", "multiple", "unknown", "unsupported".
+        :return: Detected OS family, possible values: "debian", "rhel", "rhel8", "rhel9", "multiple", "unknown", "unsupported".
         """
         hosts_detect_os_family = []
         for node in self.inventory['nodes']:

kubemarine/core/group.py

@@ -389,7 +389,7 @@ def _put_with_mv(self, local_stream: Union[io.BytesIO, str], remote_file: str,
         if immutable:
             self.cluster.log.verbose('File \"%s\" immutable set required' % remote_file)
 
-        advanced_move_required = sudo or backup or immutable
+        advanced_move_required = sudo or backup or immutable or mkdir
         temp_filepath = remote_file
 
         if advanced_move_required:
@@ -406,10 +406,11 @@ def _put_with_mv(self, local_stream: Union[io.BytesIO, str], remote_file: str,
 
         self.cluster.log.verbose("Moving temporary file '%s' to '%s'..." % (temp_filepath, remote_file))
 
+        # -Z option is necessary for RHEL family to set SELinux context to default type.
         if sudo:
-            mv_command = "sudo chown root:root %s && sudo mv -f %s %s" % (temp_filepath, temp_filepath, remote_file)
+            mv_command = "sudo chown root:root %s && sudo mv -fZ %s %s" % (temp_filepath, temp_filepath, remote_file)
         else:
-            mv_command = "mv -f %s %s" % (temp_filepath, remote_file)
+            mv_command = "mv -fZ %s %s" % (temp_filepath, remote_file)
 
         if backup:
             if sudo:
@@ -614,7 +615,7 @@ def get_nodes_os(self) -> str:
         """
         Returns the detected operating system family for group.
 
-        :return: Detected OS family, possible values: "debian", "rhel", "rhel8", "multiple", "unknown", "unsupported".
+        :return: Detected OS family, possible values: "debian", "rhel", "rhel8", "rhel9", "multiple", "unknown", "unsupported".
         """
         return self.cluster.get_os_family_for_nodes(self.nodes)
 
@@ -631,7 +632,7 @@ def get_subgroup_with_os(self: GROUP_SELF, os_family: str) -> GROUP_SELF:
         :param os_family: The name of required OS family
         :return: NodeGroup
         """
-        if os_family not in ['debian', 'rhel', 'rhel8']:
+        if os_family not in ['debian', 'rhel', 'rhel8', 'rhel9']:
             raise Exception('Unsupported OS family provided')
         hosts = []
         for host in self.nodes:

kubemarine/keepalived.py

@@ -196,7 +196,6 @@ def install_haproxy_check_script(group: DeferredGroup) -> None:
     group.put(io.StringIO(script), "/usr/local/bin/check_haproxy.sh", sudo=True)
     group.sudo("chmod +x /usr/local/bin/check_haproxy.sh")
 
-
 def uninstall(group: NodeGroup) -> RunnersGroupResult:
     return packages.remove(group, include='keepalived')
 

kubemarine/packages.py

@@ -489,7 +489,7 @@ def remove_unused_os_family_associations(cluster: KubernetesCluster, inventory:
 
 
 def get_associations_os_family_keys() -> Set[str]:
-    return {'debian', 'rhel', 'rhel8'}
+    return {'debian', 'rhel', 'rhel8', 'rhel9'}
 
 
 def get_compatibility_version_key(os_family: str) -> str:
@@ -540,7 +540,7 @@ def search(self, group: DeferredGroup, package: str, callback: Callback = None)
 def get_package_manager(group: AbstractGroup[GROUP_RUN_TYPE]) -> PackageManager:
     os_family = group.get_nodes_os()
 
-    if os_family in ['rhel', 'rhel8']:
+    if os_family in ['rhel', 'rhel8', 'rhel9']:
         return yum
     elif os_family == 'debian':
         return apt
@@ -598,7 +598,7 @@ def search_package(group: DeferredGroup, package: str, callback: Callback = None
 
 
 def get_detect_package_version_cmd(os_family: str, package_name: str) -> str:
-    if os_family in ["rhel", "rhel8"]:
+    if os_family in ["rhel", "rhel8", "rhel9"]:
         cmd = r"rpm -q %s" % package_name
     else:
         cmd = r"dpkg-query -f '${Package}=${Version}\n' -W %s" % package_name
@@ -686,7 +686,7 @@ def get_package_name(os_family: str, package: str) -> str:
     package_name = ""
 
     if package:
-        if os_family in ["rhel", "rhel8"]:
+        if os_family in ["rhel", "rhel8", "rhel9"]:
             # regexp is needed to split package and its version, the pattern start with '-' then should be number or '*'
             package_name = re.split(r'-[\d,\*]', package)[0]
         else:

kubemarine/patches/software_upgrade.yaml

@@ -14,20 +14,24 @@ packages:
   docker:
     version_rhel: []
     version_rhel8: []
+    version_rhel9: []
     version_debian: []
   containerd:
     version_debian: []
   containerdio:
     version_rhel: []
     version_rhel8: []
+    version_rhel9: []
     version_debian: []
   haproxy:
     version_rhel: false
     version_rhel8: false
+    version_rhel9: false
     version_debian: false
   keepalived:
     version_rhel: false
     version_rhel8: false
+    version_rhel9: false
     version_debian: false
 plugins:
   calico: []

kubemarine/procedures/backup.py

@@ -105,7 +105,7 @@ def export_ansible_inventory(cluster: KubernetesCluster) -> None:
 
 def export_packages_list(cluster: KubernetesCluster) -> None:
     cluster.context['backup_descriptor']['nodes']['packages'] = {}
-    if cluster.get_os_family() in ['rhel', 'rhel8']:
+    if cluster.get_os_family() in ['rhel', 'rhel8', 'rhel9']:
         cmd = r"rpm -qa"
     else:
         cmd = r"dpkg-query -f '${Package}=${Version}\n' -W"

kubemarine/procedures/check_iaas.py

@@ -426,7 +426,7 @@ def check_access_to_package_repositories(cluster: KubernetesCluster) -> None:
         # TODO: think about better parsing
         repository_urls: List[str] = []
         repositories = cluster.inventory['services']['packages']['package_manager'].get("repositories")
-        if cluster.get_os_family() not in ['debian', 'rhel', 'rhel8']:
+        if cluster.get_os_family() not in ['debian', 'rhel', 'rhel8', 'rhel9']:
             # Skip check in case of multiply or unknown OS
             raise TestWarn("Can't check package repositories on multiply OS")
         if isinstance(repositories, list):

kubemarine/procedures/check_paas.py

@@ -698,7 +698,7 @@ def verify_selinux_status(cluster: KubernetesCluster) -> None:
     :param cluster: KubernetesCluster object
     :return: None
     """
-    if cluster.get_os_family() not in ('rhel', 'rhel8'):
+    if cluster.get_os_family() not in ('rhel', 'rhel8', 'rhel9'):
         return
 
     with TestCase(cluster, '213', "Security", "Selinux security policy") as tc:
@@ -757,7 +757,7 @@ def verify_selinux_config(cluster: KubernetesCluster) -> None:
     :param cluster: KubernetesCluster object
     :return: None
     """
-    if cluster.get_os_family() not in ('rhel', 'rhel8'):
+    if cluster.get_os_family() not in ('rhel', 'rhel8', 'rhel9'):
         return
 
     with TestCase(cluster, '214', "Security", "Selinux configuration") as tc:
@@ -1399,7 +1399,7 @@ def verify_apparmor_status(cluster: KubernetesCluster) -> None:
     :param cluster: KubernetesCluster object
     :return: None
     """
-    if cluster.get_os_family() in ['rhel', 'rhel8']:
+    if cluster.get_os_family() in ['rhel', 'rhel8', 'rhel9']:
         return
 
     with TestCase(cluster, '227', "Security", "Apparmor security policy") as tc:
@@ -1427,7 +1427,7 @@ def verify_apparmor_config(cluster: KubernetesCluster) -> None:
     :param cluster: KubernetesCluster object
     :return: None
     """
-    if cluster.get_os_family() in ['rhel', 'rhel8']:
+    if cluster.get_os_family() in ['rhel', 'rhel8', 'rhel9']:
         return
 
     with TestCase(cluster, '228', "Security", "Apparmor security policy") as tc:

kubemarine/procedures/migrate_kubemarine.py

@@ -370,15 +370,15 @@ def resolve_upgrade_patches() -> List[_SoftwareUpgradePatch]:
 
     k8s_versions = [version
                     for pkg in ('docker', 'containerd', 'containerdio')
-                    for v_key in ('version_rhel', 'version_rhel8', 'version_debian')
+                    for v_key in ('version_rhel', 'version_rhel8', 'version_rhel9', 'version_debian')
                     for version in upgrade_config['packages'][pkg].get(v_key, [])]
     if k8s_versions:
         verify_allowed_kubernetes_versions(k8s_versions)
         upgrade_patches.append(CriUpgradePatch(upgrade_config))
 
     for package_name in ['haproxy', 'keepalived']:
         if any(upgrade_config['packages'][package_name].get(v_key)
-               for v_key in ('version_rhel', 'version_rhel8', 'version_debian')):
+               for v_key in ('version_rhel', 'version_rhel8', 'version_rhel9', 'version_debian')):
             upgrade_patches.append(BalancerUpgradePatch(upgrade_config, package_name))
 
     default_plugins = static.DEFAULTS['plugins']