-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to set SELinux labels for volumes #699
Comments
Related to #391 |
I think you would want to allow kubernetes also to specify the label to run a container with. I have patches working their way upstream that do docker run --label-opt type:mycontainer_t --label-opt level:TopSecret Another patch allows you to mount a volume with a :Z or a :z which tells docker to use the Private label or a shared label for the volume. |
Related to security contexts: #3910 |
Add basic metric structures
I believe this was done as part of SecurityContext and other SELinux work, such as #17555. |
Bug 1952333: UPSTREAM: 101306: Additional CVE-2021-3121 fix
Users of Linux distributions with SELinux in enforcing mode will likely need to have Kubernetes set the appropriate SELinux label on any volumes created, at least for EmptyDir volumes (directories created on the host system that are then bind mounted into the Docker container). I believe we are currently using
svirt_sandbox_file_t
but we may want to make the label configurable.For my particular use case, I was trying to run the docker registry container inside a pod, and I wanted to specify a volume for storing the registry's persistent data (docker images). The registry isn't allowed to write to the volume because SELinux denies it. Here's an example denial:
/cc @rhatdan @smarterclayton
The text was updated successfully, but these errors were encountered: