https://bugzilla.redhat.com/show_bug.cgi?id=1272146 Bug ID: 1272146 Summary: Mounted secrets unreadible with SELinux enabled Product: Fedora Version: 23 Component: kubernetes Severity: high Assignee: jchaloup(a)redhat.com Reporter: thijs.elferink(a)topicus.nl QA Contact: extras-qa(a)fedoraproject.org CC: eparis(a)redhat.com, golang(a)lists.fedoraproject.org, jcajka(a)redhat.com, jchaloup(a)redhat.com, lsm5(a)redhat.com, nhorman(a)redhat.com, vbatts(a)redhat.com Description of problem: On a freshly installed Fedora Atomic host (as well as on a CentOS Atomic host); When mounting a secret in a pod, the mount shows up with garbled permissions and is inaccessible. Version-Release number of selected component (if applicable): ostree images (both have this problem): TIMESTAMP (UTC) VERSION ID OSNAME REFSPEC 2015-10-14 11:25:03 23.33 89be310d70 centos-atomic-host fedora-atomic:fedora-atomic/f23/x86_64/docker-host 2015-10-01 09:32:09 7.20151001 1e9838ce88 centos-atomic-host centos-atomic-host:centos-atomic-host/7/x86_64/standard kubernetes node description: Kernel Version: 4.2.3-300.fc23.x86_64 OS Image: Fedora 23 (Twenty Three) Container Runtime Version: docker://1.7.0-dev.fc23 Kubelet Version: v1.1.0-alpha.0.1588+e44c8e6661c931 Kube-Proxy Version: v1.1.0-alpha.0.1588+e44c8e6661c931 How reproducible: always Steps to Reproduce: 1. fresh fedora/centos atomic host 2. deploy secret (kubectl create -f secret.json) secret.json: { "apiVersion": "v1", "kind": "Secret", "metadata" : { "name": "test-secret" }, "type": "Opaque", "data": { "test-data":"dGVzdDEyMw==" } } 3. deploy pod (kubectl create -f test-pod.yaml) test-pod.yaml: apiVersion: v1 kind: Pod metadata: name: test-pod spec: containers: - name: test image: busybox volumeMounts: - name: "test-volume" mountPath: "/test" readOnly: true command: ["sh"] args: ["-c 'ls -l /test/test-data; cat /test/test-data'"] volumes: - name: "test-volume" secret: secretName: "test-secret" Actual results: output: -bash-4.2# kubectl logs test-pod ls: cannot access /test/test-data: Permission denied total 0 -????????? ? ? ? ? ? test-data cat: /test/test-data: Permission denied Expected results: output: -bash-4.2# kubectl logs test-pod total 4 -r--r--r--. 1 root root 7 Oct 15 08:08 test-data test123 Additional info: After disabling SELinux (setenforce 0) the secret is accessible. -- You are receiving this mail because: You are on the CC list for the bug.