Red Hat Bugzilla – Bug 1461470
RFE - Apply correct SELinux Policies for HostPath persistent volumes in OpenShift 3.5
Last modified: 2018-01-25 16:13:31 EST
1. Proposed title of this feature request
Make Openshift to correctly set the SELinux context during directory creation for hostpath volumes.
3. What is the nature and description of the request?
The configuration of persistent volumes with the type hostPath doesn't set SElinux policies on the file system and in the container.
The estimated behaviour would be, that the volume is created on node side, where the hostpath volume is claimed, with the correct SELinux policies during claiming
4. Why does the customer need this? (List the business requirements here)
They want to use the benefit from the maximum security configuration of OpenShift. Because of this, they look for SELinux integration proper working with hostpath storage on restricted pods.
5. How would the customer like to achieve this? (List the functional requirements here)
Apply the correct SELinux policies to the directory created during the first mount of the volume
7. Is there already an existing RFE upstream or in Red Hat bugzilla?
No BZ, but there is an statement about this from Kuberenetes documentation :
the directories created on the underlying hosts are only writable by root. You either need to run your process as root in a privileged container or modify the file permissions on the host to be able to write to a hostPath volume