module my-kube-apiserver 1.0;

require {
        type container_var_lib_t;
        type rke2_service_t;
        class file watch;
}


#============= rke2_service_t ==============
allow rke2_service_t container_var_lib_t:file watch;