Bug 1461470 - RFE - Apply correct SELinux Policies for HostPath persistent volumes in OpenShift 3.5
RFE - Apply correct SELinux Policies for HostPath persistent volumes in OpenS...
Status: NEW
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE (Show other bugs)
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Eric Paris
Xiaoli Tian
Depends On:
  Show dependency treegraph
Reported: 2017-06-14 09:59 EDT by Nicolas Nosenzo
Modified: 2018-01-25 16:13 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Nicolas Nosenzo 2017-06-14 09:59:51 EDT
1. Proposed title of this feature request
Make Openshift to correctly set the SELinux context during directory creation for hostpath volumes.

3. What is the nature and description of the request?
The configuration of persistent volumes with the type hostPath doesn't set SElinux policies on the file system and in the container.
The estimated behaviour would be, that the volume is created on node side, where the hostpath volume is claimed, with the correct SELinux policies during claiming

4. Why does the customer need this? (List the business requirements here)
They want to use the benefit from the maximum security configuration of OpenShift. Because of this, they look for SELinux integration proper working with hostpath storage on restricted pods.

5. How would the customer like to achieve this? (List the functional requirements here)
Apply the correct SELinux policies to the directory created during the first mount of the volume

7. Is there already an existing RFE upstream or in Red Hat bugzilla?
No BZ, but there is an statement about this from Kuberenetes documentation [0]:

the directories created on the underlying hosts are only writable by root. You either need to run your process as root in a privileged container or modify the file permissions on the host to be able to write to a hostPath volume

[0] https://kubernetes.io/docs/concepts/storage/volumes/#hostpath

Note You need to log in before you can comment on or make changes to this bug.