Description of problem:
If you create pod with volume, where volume is emptyDir, SELinux is blocking access to that directory inside container.

Example
# cat busybox.yaml
apiVersion: v1
kind: Pod
metadata:
  name: busybox
  namespace: default
spec:
  containers:
  - image: busybox
    name: busybox
    command:
      - sleep
      - "36000"
    volumeMounts:
      - name: storage
        mountPath: /storage
  volumes:
    - name: storage
      emptyDir: {}

# kubectl get pods
NAME      READY     STATUS    RESTARTS   AGE
busybox   1/1       Running   0          40s

# kubectl exec -it busybox /bin/sh
/ # cd /storage/
/storage # touch hello
touch: hello: Permission denied

It is quite pain to work with emptyDir as volumes inside kubenetes pod, you have to always think of chcon. When you stop pod it is recreated with new uid, so you have to chcon emptyDir volumes again :-(

I think, if developer defined a mounted path himself it is ok to require manual chcon, but with emptyDir that should be automatic.

Version-Release number of selected component (if applicable):

# rpm -qa | grep kubernetes
kubernetes-master-1.0.3-0.2.gitb9a88a7.el7.x86_64
kubernetes-client-1.0.3-0.2.gitb9a88a7.el7.x86_64
kubernetes-node-1.0.3-0.2.gitb9a88a7.el7.x86_64
kubernetes-1.0.3-0.2.gitb9a88a7.el7.x86_64

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

How reproducible:
Everytime, Try to create pod using template example and then access mounted directory, you will get permission denied issue.


Steps to Reproduce:
1. Create pod template with emptyDir as volumes
2. Deploy pod using kubectl
3. Try to create any file in mounted volume once pod is running by accessing pod container.

Actual results:
Permission denied 

Expected results:

It should not provide permission denined issue.

Additional info:

ADB upstream issue: https://github.com/projectatomic/adb-atomic-developer-bundle/issues/117