https://bugzilla.redhat.com/show_bug.cgi?id=1272146
Jan Chaloupka jchaloup@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution|--- |NOTABUG Last Closed| |2016-06-23 10:21:49
--- Comment #6 from Jan Chaloupka jchaloup@redhat.com --- As mentioned in [1], the solution is to use pod-level SecurityContext:
apiVersion: v1 kind: Pod metadata: name: test-pod spec: containers: - name: test image: busybox volumeMounts: - name: "test-volume" mountPath: "/test" readOnly: true command: - "sh" - "-c" - | ls -l /test/test-data cat /test/test-data securityContext: seLinuxOptions: level: "s0:c123,c456" volumes: - name: "test-volume" secret: secretName: "test-secret"
SecurityContextDeny must be removed from /etc/kubernetes/apiserver to enable the SecurityContext. More about it [2], [3].
[1] https://github.com/projectatomic/adb-atomic-developer-bundle/issues/117#issu... [2] http://kubernetes.io/docs/admin/admission-controllers/#securitycontextdeny [3] http://kubernetes.io/docs/user-guide/security-context/