CODEWITHSUNDEEP
kubernetes
drifter
drifter

Reputation: 557

Kubernetes Pod permission denied on local volume

I have created a pod on Kubernetes and mounted a local volume but when I try to execute the ls command on locally mounted volume, I get a permission denied error. If I disable SELINUX then everything works fine. I am unable to make out how do I make it work with SELinux enabled.

Following is the output of permission denied:

kubectl apply -f testpod.yaml
root@olcne-operator-ol8 opc]# kubectl get all
NAME            READY   STATUS    RESTARTS   AGE
pod/testpod     1/1     Running   0          5s
# kubectl exec -i -t testpod /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
[root@testpod /]# cd /u01
[root@testpod u01]# ls
ls: cannot open directory '.': Permission denied
[root@testpod u01]#

Following is the testpod.yaml

cat testpod.yaml
kind: Pod
apiVersion: v1
metadata:
  name: testpod
  labels:
    name: testpod
spec:
  hostname: testpod
  restartPolicy: Never
  volumes:
    - name: swvol
      hostPath:
        path: /u01
  containers:
    - name: testpod
      image: oraclelinux:8
      imagePullPolicy: Always
      securityContext:
       privileged: false
      command: [/usr/sbin/init]
      volumeMounts:
      - mountPath: "/u01"
        name: swvol

Selinux Configuration on worker node:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

---
# semanage fcontext -l  | grep kub | grep container_file
/var/lib/kubelet/pods(/.*)?                        all files          system_u:object_r:container_file_t:s0
/var/lib/kubernetes/pods(/.*)?                     all files          system_u:object_r:container_file_t:s0

Machine OS Details

 rpm -qa | grep kube
kubectl-1.20.6-2.el8.x86_64
kubernetes-cni-0.8.1-1.el8.x86_64
kubeadm-1.20.6-2.el8.x86_64
kubelet-1.20.6-2.el8.x86_64
kubernetes-cni-plugins-0.9.1-1.el8.x86_64

----
cat /etc/oracle-release
Oracle Linux Server release 8.4

---
uname -r
5.4.17-2102.203.6.el8uek.x86_64

Upvotes: 1

Views: 4118

Answers (1)

Andrew Skorkin
Andrew Skorkin

Reputation: 1376

This is a community wiki answer posted for better visibility. Feel free to expand it.

SELinux labels can be assigned with seLinuxOptions:

apiVersion: v1
metadata:
  name: testpod
  labels:
    name: testpod
spec:
  hostname: testpod
  restartPolicy: Never
  volumes:
    - name: swvol
      hostPath:
        path: /u01
  containers:
    - name: testpod
      image: oraclelinux:8
      imagePullPolicy: Always
      command: [/usr/sbin/init]
      volumeMounts:
      - mountPath: "/u01"
        name: swvol
  securityContext:
    seLinuxOptions:
      level: "s0:c123,c456"

From the official documentation:

seLinuxOptions: Volumes that support SELinux labeling are relabeled to be accessible by the label specified under seLinuxOptions. Usually you only need to set the level section. This sets the Multi-Category Security (MCS) label given to all Containers in the Pod as well as the Volumes.

Based on the information from the original post on stackoverflow:

You can only specify the level portion of an SELinux label when relabeling a path destination pointed to by a hostPath volume. This is automatically done so by the seLinuxOptions.level attribute specified in your securityContext.

However attributes such as seLinuxOptions.type currently have no effect on volume relabeling. As of this writing, this is still an open issue within Kubernetes

Upvotes: 1

Related Questions