policy: expand rancher-ai selinux policy to microOS and Fedora42 and add e2e#144
Open
andypitcher wants to merge 4 commits into
Open
policy: expand rancher-ai selinux policy to microOS and Fedora42 and add e2e#144andypitcher wants to merge 4 commits into
andypitcher wants to merge 4 commits into
Conversation
Signed-off-by: Andy Pitcher <andy.pitcher@suse.com>
There was a problem hiding this comment.
Pull request overview
This PR expands the existing Rancher AI SELinux policy coverage to additional supported distributions (MicroOS and Fedora 42) and updates the repository’s documented coverage/status accordingly.
Changes:
- Mark Rancher AI components (
rancher-ai-agent,rancher-ai-mcp) as covered on MicroOS and Fedora 42 in the README coverage matrix. - Add SELinux policy blocks for
rancher_aiagent_container_tandrancher_aimcp_container_tto the MicroOS policy. - Add SELinux policy blocks for
rancher_aiagent_container_tandrancher_aimcp_container_tto the Fedora 42 policy.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| README.md | Updates coverage/status matrix entries for Rancher AI across supported distros. |
| policy/microos/rancher.te | Adds Rancher AI container domain templates and network permissions for MicroOS builds. |
| policy/fedora42/rancher.te | Adds Rancher AI container domain templates and network permissions for Fedora 42 builds. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Refactors the E2E testing script framework to accommodate advanced charts like `rancher-ai-agent`. Transitioning from a rigid, single DaemonSet HTTP workflow into a flexible multi-workload validation matrix. - Support Multi-Workload Deployments: Extended `installRancherChart` to handle generic workload kinds (Deployments/DaemonSets), multiple workload names, and independent pod label selectors. - OCI Registry Integration: Enabled OCI chart references alongside legacy HTTP charts, making CRD sibling installations conditional. - Robust SELinux Verification: Upgraded `e2eSELinuxVerification` with a jq fallback (`//`) to seamlessly target both Pod-level and Container-level `seLinuxOptions`. - Decoupled Policy Validation: Re-architected verification tracks into semicolon-delimited `pod:container:type` triplets, decoupling the host package checks from individual workload counts. - Add Rancher AI Agent: Added automated test mapping for the `rancher-ai-agent` chart components and their associated SELinux security contexts (`rancher_aiagent_container_t` / `rancher_aimcp_container_t`). - Bug Fixes: Repaired an environment defect in `installDependencies` that incorrectly wrote literal nested echo syntax to `.bashrc`. Signed-off-by: Andy Pitcher <andy.pitcher@suse.com>
andypitcher
force-pushed
the
add-rancher-ai-nonrhel
branch
from
5822f82 to
5568b7c
Compare
andypitcher
changed the title
| [rancher-logging]="cattle-logging-system rancher-logging-root-fluentbit app.kubernetes.io/name=fluentbit fluentbit fluent-bit rke_logreader_t" | ||
| [rancher-monitoring]="cattle-monitoring-system daemonset rancher-monitoring-prometheus-node-exporter app.kubernetes.io/name=prometheus-node-exporter node-exporter:node-exporter:prom_node_exporter_t rancher-charts/rancher-monitoring --set global.seLinux.enabled=true --set prometheus-node-exporter.hostRootFsMount.enabled=false" | ||
| [rancher-logging]="cattle-logging-system daemonset rancher-logging-root-fluentbit app.kubernetes.io/name=fluentbit fluentbit:fluent-bit:rke_logreader_t rancher-charts/rancher-logging --set global.seLinux.enabled=true" | ||
| [rancher-ai-agent]="cattle-ai-agent-system deployment rancher-ai-agent,rancher-mcp-server app=rancher-ai-agent,app=rancher-mcp-server rancher-ai-agent:agent:rancher_aiagent_container_t;rancher-mcp-server:mcp-server:rancher_aimcp_container_t oci://stgregistry.suse.com/rancher/charts/rancher-ai-agent --set seLinux.enabled=true --set insecureSkipTls=true" |
macedogm
previously approved these changes
May 27, 2026
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
macedogm
approved these changes
May 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Parent: