-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kube generate: privileged: false
is not correct
#11916
Comments
@dilyanpalauzov what new options are you looking for? The I tested it out, by setting the
|
In my particular case, I use rootless podman, which bind-mounts a directory (with selinux label?):
metadata:
annotations:
bind-mount-options:/home/d/data: Z
spec:
…
volumes:
- hostPath:
path: /home/d/data
type: Directory
name: home-d-data-host-0 however kubernetes does not handle this annotation in any special way, so it is ignored, when resolving the hostPath. Without the Z label, the hostPath volume/mount does not work. In turn inserting the yaml file in Kubernetes, when kubernetes mounts the volume, the pod sees “permission denied”. I do not know how to solve this, since I do not understand selinux and volumes very well. If the mount:Z/relabel=private relabelling are a matter of selinux labels, then insert that selinux (or seccomp) property in spec.container.securityContext. All in all, the output of To be precise, when trying to inject a yaml file with annotations:
bind-mount-options:/home/d/data: Z in kubectl-1.22.2 apply -f, the answer is: The Pod "ldap" is invalid: metadata.annotations: Invalid value: "bind-mount-options:/home/d/data": a qualified name must consist of alphanumeric characters, '-', '' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') |
Kubernetes does not do any relabeling with SELinux now. There have been proposals but nothing has been accepted. We could potentially add functionality to CRI-O to make this happen and have it understand the annotation, but it is not likely that this would be accepted upstream. @mrunalp @haircommander @saschagrunert what do you think about adding this support to CRI-O. |
@dilyanpalauzov to make this work in kubernetes, you could simple |
I think that the overall direction of Kubernetes is to allow to run kubelet in userspace and the SELinux relabelling of directories/hostPath-volumes is a milestone in the rootless journey. Another part in writing down how cri-o shall be setup in rootless mode - cri-o/cri-o#5399. |
this is not quite right: many volume plugins do relabel selinux, but hostPath does not. The proposals are in attempt to not relabel in some cases for those that do, as it can take a long time if the volume is sufficiently large. as far as the annotation, I am open to it. I think we'll need to talk about the structure of it--I don't know if an annotation can contain a
frankly, I see this as the most idiomatic option. SELinux relabeling can take a long time, and it is more efficient to just do it the once and then every pod can have acccess to it, rather than relabel for each pod (which would happen if we added an annotation workaround)
I don't know of any effort to relabel hostPath directories, though I may be wrong. |
The issue I have with the labeling we have now is that it is always shared, which means that all Pods can attack each other. I would like to have CRI-O understand that it could do Private labeling also. I am fine with the labeling for annotations to only use the top level labeling support. IE If directory is currently labeled correctly then do nothing. |
@dilyanpalauzov SELinux has nothing to do with rootless versus rootfull. It is needed in either situation. I actually am not a big proponant of rootless kubernetes. I am a big fan of running all workloads either as non root or within a separate usernamespace where real root is not mapped. |
I am under the impression CRI-O always label privately (though we'll add additional contexts as they're requested) |
My reading is, that in order to use the output of I propose:
--mount=type=bind does accept "relabel=private". Likewise -v appepts Z- private unshared, or z - shared. What does the above citation mean? |
A friendly reminder that this issue had no activity for 30 days. |
@umohnani8 PTAL |
@rhatdan got it, will update my PR to relabel instead of forcing privileged |
@rhatdan we can check for rootless and selinux and add the annotation, but when the yaml is used in a k8s cluster, k8s won't recognize it and will still cause the error mentioned in this issue. So might be best to just add a note to let the user know to make the pod privileged or to relabel the volume with chcon. We can generate the annotation so that it is used with play kube, but doesn't look like podman has an issue with the volume here. WDYT? |
It sounds fine with me. But it could get a little wordy. |
I run podman in rooltess mode and kubernetes in rootful mode. To start podman I use the instructions at https://mail.aegee.org/cgit/aegee-ldap/tree/readme.md#n13 . Then I call
podman generate kube
. The output contains:When I give /home/, /home/d and /home/d/data mode 777, and insert this into kubernetes, it does not work, since the privileges to access the volume are not sufficient. I have to change
privileged: false
toprivileged: true
.Perhaps
podman generate kube
shall accept more command line opitons to know how to emit yaml.The text was updated successfully, but these errors were encountered: