https://bugzilla.redhat.com/show_bug.cgi?id=1272146
Bug ID: 1272146 Summary: Mounted secrets unreadible with SELinux enabled Product: Fedora Version: 23 Component: kubernetes Severity: high Assignee: jchaloup@redhat.com Reporter: thijs.elferink@topicus.nl QA Contact: extras-qa@fedoraproject.org CC: eparis@redhat.com, golang@lists.fedoraproject.org, jcajka@redhat.com, jchaloup@redhat.com, lsm5@redhat.com, nhorman@redhat.com, vbatts@redhat.com
Description of problem:
On a freshly installed Fedora Atomic host (as well as on a CentOS Atomic host); When mounting a secret in a pod, the mount shows up with garbled permissions and is inaccessible.
Version-Release number of selected component (if applicable):
ostree images (both have this problem): TIMESTAMP (UTC) VERSION ID OSNAME REFSPEC 2015-10-14 11:25:03 23.33 89be310d70 centos-atomic-host fedora-atomic:fedora-atomic/f23/x86_64/docker-host 2015-10-01 09:32:09 7.20151001 1e9838ce88 centos-atomic-host centos-atomic-host:centos-atomic-host/7/x86_64/standard
kubernetes node description: Kernel Version: 4.2.3-300.fc23.x86_64 OS Image: Fedora 23 (Twenty Three) Container Runtime Version: docker://1.7.0-dev.fc23 Kubelet Version: v1.1.0-alpha.0.1588+e44c8e6661c931 Kube-Proxy Version: v1.1.0-alpha.0.1588+e44c8e6661c931
How reproducible:
always
Steps to Reproduce: 1. fresh fedora/centos atomic host 2. deploy secret (kubectl create -f secret.json)
secret.json:
{ "apiVersion": "v1", "kind": "Secret", "metadata" : { "name": "test-secret" }, "type": "Opaque", "data": { "test-data":"dGVzdDEyMw==" } }
3. deploy pod (kubectl create -f test-pod.yaml)
test-pod.yaml:
apiVersion: v1 kind: Pod metadata: name: test-pod spec: containers: - name: test image: busybox volumeMounts: - name: "test-volume" mountPath: "/test" readOnly: true command: ["sh"] args: ["-c 'ls -l /test/test-data; cat /test/test-data'"]
volumes: - name: "test-volume" secret: secretName: "test-secret"
Actual results:
output:
-bash-4.2# kubectl logs test-pod ls: cannot access /test/test-data: Permission denied total 0 -????????? ? ? ? ? ? test-data cat: /test/test-data: Permission denied
Expected results:
output:
-bash-4.2# kubectl logs test-pod total 4 -r--r--r--. 1 root root 7 Oct 15 08:08 test-data test123
Additional info:
After disabling SELinux (setenforce 0) the secret is accessible.
https://bugzilla.redhat.com/show_bug.cgi?id=1272146
Thijs Elferink thijs.elferink@topicus.nl changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |SELinux
https://bugzilla.redhat.com/show_bug.cgi?id=1272146
Jan Chaloupka jchaloup@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |walters@redhat.com Flags| |needinfo?(walters@redhat.co | |m)
--- Comment #1 from Jan Chaloupka jchaloup@redhat.com --- Hi Colin,
what selinux rpms are used in Atomic Host? Have you encountered with this issue before?
Thanks Jan
https://bugzilla.redhat.com/show_bug.cgi?id=1272146
Colin Walters walters@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(walters@redhat.co | |m) |
https://bugzilla.redhat.com/show_bug.cgi?id=1272146
Bradley Childs bchilds@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bchilds@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1272146
Jan Chaloupka jchaloup@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution|--- |NOTABUG Last Closed| |2016-06-23 10:21:49
--- Comment #6 from Jan Chaloupka jchaloup@redhat.com --- As mentioned in [1], the solution is to use pod-level SecurityContext:
apiVersion: v1 kind: Pod metadata: name: test-pod spec: containers: - name: test image: busybox volumeMounts: - name: "test-volume" mountPath: "/test" readOnly: true command: - "sh" - "-c" - | ls -l /test/test-data cat /test/test-data securityContext: seLinuxOptions: level: "s0:c123,c456" volumes: - name: "test-volume" secret: secretName: "test-secret"
SecurityContextDeny must be removed from /etc/kubernetes/apiserver to enable the SecurityContext. More about it [2], [3].
[1] https://github.com/projectatomic/adb-atomic-developer-bundle/issues/117#issu... [2] http://kubernetes.io/docs/admin/admission-controllers/#securitycontextdeny [3] http://kubernetes.io/docs/user-guide/security-context/
golang@lists.fedoraproject.org