Description of problem: Reading data from persistent storage provided by csi will report "Permission denied" error Version-Release number of selected component (if applicable): oc v3.10.0-0.38.0 openshift v3.10.0-0.41.0 kubernetes v1.10.0+b81c8f8 csi-attacher-0.2.0-2.git27299be.el7.x86_64 csi-provisioner-0.2.0-1.el7.x86_64 csi-driver-registrar-0.2.0-1.el7.x86_64 How reproducible: Deploy csi per https://github.com/openshift/openshift-docs/pull/8783/files Steps to Reproduce: 1. Create PVC # cat pvc.yaml kind: PersistentVolumeClaim apiVersion: v1 metadata: name: pvc1 spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi 2. Create Pod # cat pod.yaml apiVersion: v1 kind: Pod metadata: name: web-server spec: containers: - name: web-server image: nginx volumeMounts: - mountPath: /var/lib/www/html name: mypvc volumes: - name: mypvc persistentVolumeClaim: claimName: pvc1 readOnly: false 3. Read data from persistent storage provided by csi Actual results: # oc exec web-server -- ls /var/lib/www/html ls: cannot open directory '/var/lib/www/html': Permission denied Expected results: Could read and write data successfully. Master Log: Node Log (of failed PODs): PV Dump: PVC Dump: StorageClass Dump (if StorageClass used by PV/PVC): Additional info:
CSI as currently does not support SELinux. I filled https://github.com/container-storage-interface/spec/issues/235 to update the specification, however it may take a while before it's fixed in the spec and all CSI drivers. I will update the docs.
Upstream PR: https://github.com/kubernetes/kubernetes/pull/64026
Origin PR: https://github.com/openshift/origin/pull/19816
Verified in openshift: oc v3.10.0-0.60.0 openshift v3.10.0-0.60.0 kubernetes v1.10.0+b81c8f8 csi-attacher-0.2.0-3.git27299be.el7.x86_64 csi-provisioner-0.2.0-2.el7.x86_64 csi-driver-registrar-0.2.0-1.el7.x86_64 # uname -a Linux qe-piqin-master-etcd-nfs-1 3.10.0-862.3.2.el7.x86_64 #1 SMP Tue May 15 18:22:15 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.5 (Maipo)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1816