Bug 1272146
Summary: | Mounted secrets unreadible with SELinux enabled | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Thijs Elferink <thijs.elferink> | |
Component: | kubernetes | Assignee: | Jan Chaloupka <jchaloup> | |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | high | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 23 | CC: | bchilds, eparis, golang-updates, jcajka, jchaloup, lsm5, nhorman, vbatts, walters | |
Target Milestone: | --- | Keywords: | SELinux | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1276080 (view as bug list) | Environment: | ||
Last Closed: | 2016-06-23 14:21:49 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Thijs Elferink
2015-10-15 14:53:59 UTC
Hi Colin, what selinux rpms are used in Atomic Host? Have you encountered with this issue before? Thanks Jan As mentioned in [1], the solution is to use pod-level SecurityContext: apiVersion: v1 kind: Pod metadata: name: test-pod spec: containers: - name: test image: busybox volumeMounts: - name: "test-volume" mountPath: "/test" readOnly: true command: - "sh" - "-c" - | ls -l /test/test-data cat /test/test-data securityContext: seLinuxOptions: level: "s0:c123,c456" volumes: - name: "test-volume" secret: secretName: "test-secret" SecurityContextDeny must be removed from /etc/kubernetes/apiserver to enable the SecurityContext. More about it [2], [3]. [1] https://github.com/projectatomic/adb-atomic-developer-bundle/issues/117#issuecomment-215313573 [2] http://kubernetes.io/docs/admin/admission-controllers/#securitycontextdeny [3] http://kubernetes.io/docs/user-guide/security-context/ |