Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SELinux Volumes not relabeled in 1.16 #83679

Open
shanesiebken opened this issue Oct 9, 2019 · 9 comments

Comments

@shanesiebken
Copy link

commented Oct 9, 2019

What happened:
After upgrading from kubelet 1.15 -> 1.16, volumes are no longer relabeled as container_file_t for selinux, causing most pods to fail.

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):

  • Run a kubernetes cluster on 1.15.[0-3].
  • Create a pod with a secret, configmap, or with provisioned storage (ebs-csi-driver).
  • Find that file on disk of the node, and observe it is labeled with the file type container_file_t and the pod is able to read it.
  • Upgrade the kubelet to 1.16
  • Delete the pod, and observe it fail on launch. Find the file on disk and see it labeled tmpfs_t or unlabeled_t for configmap/secret and provisioned volumes, respectively.

Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version): 1.15 / 1.16
  • Cloud provider or hardware configuration: AWS
  • OS (e.g: cat /etc/os-release): RHEL 7.7
  • Kernel (e.g. uname -a): 3.10.0-1062.1.1.el7.x86_64
  • Install tools: kubeadm
  • Network plugin and version (if this is a network-related bug): N/A
  • Others:
@shanesiebken

This comment has been minimized.

Copy link
Author

commented Oct 9, 2019

/sig storage

@k8s-ci-robot k8s-ci-robot added sig/storage and removed needs-sig labels Oct 9, 2019
@shanesiebken

This comment has been minimized.

Copy link
Author

commented Oct 9, 2019

@kubernetes/sig-storage-bugs

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2019

@shanesiebken: Reiterating the mentions to trigger a notification:
@kubernetes/sig-storage-bugs

In response to this:

@kubernetes/sig-storage-bugs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@gnufied

This comment has been minimized.

Copy link
Member

commented Oct 10, 2019

Is selinux enabled for docker? Can you paster output of :

docker info | grep 'Security Options'

also docker version

@gnufied

This comment has been minimized.

Copy link
Member

commented Oct 10, 2019

Also please paste YAML of one or more pods which are affected by this. Thank you!

@shanesiebken

This comment has been minimized.

Copy link
Author

commented Oct 10, 2019

Security Options -

Security Options:
 seccomp
  WARNING: You're not using the default seccomp profile
  Profile: /etc/docker/seccomp.json
 selinux

Perhaps of note here, we do not change the /etc/docker/seccomp.json installed by docker, and rpm --verify docker confirms we don't make changes to that file.

Docker version:

 Version:         1.13.1
 API version:     1.26
 Package version: docker-1.13.1-103.git7f2769b.el7.x86_64
 Go version:      go1.10.8
 Git commit:      7f2769b/1.13.1
 Built:           Fri Aug  2 10:19:53 2019
 OS/Arch:         linux/amd64

Client and server blocks match.

Pod yaml incoming

@shanesiebken

This comment has been minimized.

Copy link
Author

commented Oct 10, 2019

To clarify, do you want a runnable "minimum reproducible" pod.yaml, or is it more informational? If the latter, I have a pod that breaks and I'm working on the yaml for that, removing sensitive information, etc. If the former, I'll need to spend a few minutes getting a minimal reproduction with busybox or somesuch.

@gnufied

This comment has been minimized.

Copy link
Member

commented Oct 11, 2019

I need full pod's yaml that is not working. i.e - generated full YAML.

@shanesiebken

This comment has been minimized.

Copy link
Author

commented Oct 18, 2019

Hi, I'm sorry I haven't had a chance to follow up with this ticket. I will get some pod yaml attached early next week. Thank you for following up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.