https://bugzilla.redhat.com/show_bug.cgi?id=1272146
Bug ID: 1272146
Summary: Mounted secrets unreadible with SELinux enabled
Product: Fedora
Version: 23
Component: kubernetes
Severity: high
Assignee: jchaloup(a)redhat.com
Reporter: thijs.elferink(a)topicus.nl
QA Contact: extras-qa(a)fedoraproject.org
CC: eparis(a)redhat.com, golang(a)lists.fedoraproject.org,
jcajka(a)redhat.com, jchaloup(a)redhat.com,
lsm5(a)redhat.com, nhorman(a)redhat.com, vbatts(a)redhat.com
Description of problem:
On a freshly installed Fedora Atomic host (as well as on a CentOS Atomic host);
When mounting a secret in a pod, the mount shows up with garbled permissions
and is inaccessible.
Version-Release number of selected component (if applicable):
ostree images (both have this problem):
TIMESTAMP (UTC) VERSION ID OSNAME
REFSPEC
2015-10-14 11:25:03 23.33 89be310d70 centos-atomic-host
fedora-atomic:fedora-atomic/f23/x86_64/docker-host
2015-10-01 09:32:09 7.20151001 1e9838ce88 centos-atomic-host
centos-atomic-host:centos-atomic-host/7/x86_64/standard
kubernetes node description:
Kernel Version: 4.2.3-300.fc23.x86_64
OS Image: Fedora 23 (Twenty Three)
Container Runtime Version: docker://1.7.0-dev.fc23
Kubelet Version: v1.1.0-alpha.0.1588+e44c8e6661c931
Kube-Proxy Version: v1.1.0-alpha.0.1588+e44c8e6661c931
How reproducible:
always
Steps to Reproduce:
1. fresh fedora/centos atomic host
2. deploy secret (kubectl create -f secret.json)
secret.json:
{
"apiVersion": "v1",
"kind": "Secret",
"metadata" : {
"name": "test-secret"
},
"type": "Opaque",
"data": {
"test-data":"dGVzdDEyMw=="
}
}
3. deploy pod (kubectl create -f test-pod.yaml)
test-pod.yaml:
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
containers:
- name: test
image: busybox
volumeMounts:
- name: "test-volume"
mountPath: "/test"
readOnly: true
command: ["sh"]
args: ["-c 'ls -l /test/test-data; cat /test/test-data'"]
volumes:
- name: "test-volume"
secret:
secretName: "test-secret"
Actual results:
output:
-bash-4.2# kubectl logs test-pod
ls: cannot access /test/test-data: Permission denied
total 0
-????????? ? ? ? ? ? test-data
cat: /test/test-data: Permission denied
Expected results:
output:
-bash-4.2# kubectl logs test-pod
total 4
-r--r--r--. 1 root root 7 Oct 15 08:08 test-data
test123
Additional info:
After disabling SELinux (setenforce 0) the secret is accessible.
--
You are receiving this mail because:
You are on the CC list for the bug.