CNI Plugins with SELinux?

[Byun Keunyoung]

Hi! I'm currently on a project that utilizes Kata-Containers, and I'm using CNI Plugins to support the networking to run Kata with Crictl currently.

I haven't had the opportunity to check out the full details of CNI, but I was wondering if there's been a usage with SELinux in the past..?

I'm currently trying to run a SELinux Targeted MCS (Multi-Category Security) Mode, where different Kata processes (network provided by CNI bridged network, so the first pod's IP has 172.19.0.2, the next launched pod receives 172.19.0.3, so on so..) will have different security contexts. So in theory, I'd be able to restrict the connections (maybe a curl command from the pod/container) via SELinux solely. I'm just wondering if there has been on occasion of this, because I'm not sure if this is a possibility at all at the moment.

Ooh, and on a separate note... is there some kind of a architecture diagram for how CNI works by any chance?

Thank you very much in advance!

Best Regards,

Kloud Byun