New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SELinux label on the mounted volume #27282
Comments
I have no idea on who should I mention, so @erictune (security-related) and @saad-ali (volume-related), what do you think? Extend this a little bit further, if the docker has selinux enabled, then all the containers already get a unique level settings with something like
And the |
CC @pmorie |
It looks like setting the So it is really confusing on why setting selinux for the process?? /cc @chengyli @ashw7n |
Atomic OS carries with kubernetes distro with selinux enabled by default, what's the way to ensure the volumes are accessible with SELinux enabled? |
Reading through the proposal here: https://github.com/kubernetes/kubernetes/blob/master/docs/proposals/selinux.md and atomic issues here: projectatomic/adb-atomic-developer-bundle#117. It looks like the selinux support for volume is still incomplete. specifically, @pmorie I read through your proposal, the question in my mind is: should there be two |
I think Dan's post describes pretty well what Docker does. I think if Kubernetes just had a "SELinuxVolume" flag, it could even infer whether to pass Z or z to Docker based on the access mode of the persistent volume (assuming persistent volumes here). ReadWriteOnce sort of implies Z whereas ReadWriteMany implies z |
I think my last comment is pointless. The proposal doc referenced above describes it pretty well. |
I am confused. If you can not label volumes at the moment, why is https://kubernetes.io/docs/user-guide/security-context/ talking about that?
|
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@zhouhaibing089 - Did anything ever happen with this? |
@wied03: not I am aware of.. I will check later.. |
I haven't tested this but I think this issue still remains because the docs @pizzarabe mentions talk about specifying the label. The "desired" behavior that Docker does is the container runs as a random, unused MCS label and then the Z flag has Docker relabel the volume with the MCS label it chose for the container. There are mount options in K8s now (could Z be passed in there) but it looks like those are at the node level, not container specific. |
It sounds like currently to mount local PV with Docker selinux enabled, user has to manually add label to local path. An example is openshift user doc https://docs.openshift.org/latest/install_config/configuring_local.html#local-volume-mounting-local-volumes. Any concern, Kubernetes local volume supports it automatically. Can we /reopen the ticket or we need open a new one? |
same problems in my case |
There is a field named
SELinuxOptions
inPodSecurityContext
, however this is only used for the running process in containers.For example, the following spec:
What I am hoping is that the files under
/var/log/ubuntu3
would have typesvirt_sandbox_file_t
, however it was set on the process, not the volumes.My question is: Is there a way to set selinux labels for the volumes(something like
-v ${hostpath}:${containerpath}:z
in docker)?The text was updated successfully, but these errors were encountered: