Andrej
Reputation: 181
Kubernetes serviceAccounts and SELinux
We are running Kubernetes with SELinux enabled. We would like to use serviceAccounts. When I disable SELinux containers can read the secrets, as expected.
But, when I enable SELinux we cannot read the secrets inside the container. For example:
localhost$ kubectl exec -it my-pod bash
my-pod$ ls /var/run/secrets/kubernetes.io/serviceaccount/
token
my-pod$ cat /var/run/secrets/kubernetes.io/serviceaccount/token
Permission denied
What is the recommended way to use serviceAccounts with SELinux?
Thanks, Andrej
Upvotes: 0
Views: 1366
Answers (2)
Seth Jennings
Reputation: 21
There is an selinux policy rule for it (in Fedora 23 at least) but unfortunately it has a typo.
semanage fcontext -l | grep /var/lib/kub
/var/lib/kublet(/.*)? all files system_u:object_r:docker_var_lib_t:s0
Should be "kubelet". I opened a bug here.
Upvotes: 2
Paul Morie
Reputation: 15788
You probably need to run the following command to set the SELinux context correctly in the volumes directory. I have an open issue to make this happen automatically in the future:
sudo chcon -Rt svirt_sandbox_file_t /var/lib/kubelet
Hope that helps.
Upvotes: 4
Related Questions
- Accessing k8s cluster with service account token
- How to mount HostPath Volume in Kubernetes with SELinux
- kubernetes external secrets on GKE , Permission error
- gitlab-ci and kubectl issue
- Kubernetes service account - token signature validation
- Connecting to Kubernetes API from pod
- Configure gsutil to use kubernetes service account credentials inside of pod
- Kubernetes system:serviceaccount:default denied access