-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.16
-
None
-
None
-
False
-
-
None
-
Important
-
None
-
None
-
None
-
None
-
None
-
Customer Escalated
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
When using systemd as the entrypoint in a container, and applying the spc_t selinux relabeling workaround, systemd somehow is preventing the config map mount from working correctly resulting in broken file permissions
% kubectl exec -it deployments/test -- ls -hlanZ /test
ls: cannot access '/test/config-abcdefg.txt': Permission denied
total 0
drwxr-xr-x. 2 0 0 system_u:object_r:container_file_t:s0:c14,c27 32 Dec 10 04:29 .
dr-xr-xr-x. 1 0 0 system_u:object_r:container_file_t:s0:c14,c27 51 Dec 10 04:29 ..
-?????????? ? ? ? ? ? ? config-abcdefg.txt
Version-Release number of selected component (if applicable):
OCP 4.16.45
How reproducible:
Apply the below manifest (change selinux level to match namespace) --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tim-test-scc-bind namespace: tim-test roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:openshift:scc:privileged subjects: - kind: ServiceAccount name: default namespace: tim-test --- apiVersion: v1 kind: ConfigMap metadata: name: test-config namespace: tim-test data: config.txt: | Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. --- apiVersion: apps/v1 kind: Deployment metadata: name: test namespace: tim-test labels: app: test spec: strategy: type: Recreate replicas: 1 selector: matchLabels: app: test template: metadata: name: test labels: app: test spec: enableServiceLinks: false securityContext: fsGroup: 0 fsGroupChangePolicy: "OnRootMismatch" runAsUser: 0 runAsGroup: 0 seLinuxOptions: type: "spc_t" level: s0:c27,c14 automountServiceAccountToken: false containers: - name: test securityContext: capabilities: drop: - ALL tty: true imagePullPolicy: IfNotPresent # image: docker.io/redhat/ubi8:8.10 image: docker.io/redhat/ubi9 command: [/lib/systemd/systemd] volumeMounts: - mountPath: /test/config-abcdefg.txt name: config subPath: config.txt env: - name: SYSTEMD_LOG_TARGET value: console - name: SYSTEMD_LOG_LEVEL value: debug volumes: - name: config configMap: name: test-config
Steps to Reproduce:
1. modify selinux.level + namespace to match namespace mcs and destniation namespace.
2. kubectl exec -it deployments/test -- ls -hlanZ /test
Actual results:
kubectl exec -it deployments/test -- ls -hlanZ /test ls: cannot access '/test/config-abcdefg.txt': Permission denied total 0 drwxr-xr-x. 2 0 0 system_u:object_r:container_file_t:s0:c14,c27 32 Dec 10 04:29 . dr-xr-xr-x. 1 0 0 system_u:object_r:container_file_t:s0:c14,c27 51 Dec 10 04:29 .. -?????????? ? ? ? ? ? ? config-abcdefg.txt
Expected results:
kubectl exec -it deployments/test -- ls -hlanZ /test total 4.0K drwxr-xr-x. 2 0 0 system_u:object_r:container_file_t:s0:c14,c27 32 Dec 10 04:35 . dr-xr-xr-x. 1 0 0 system_u:object_r:container_file_t:s0:c14,c27 51 Dec 10 04:35 .. -rw-r--r--. 1 0 0 system_u:object_r:container_file_t:s0:c14,c27 575 Dec 10 04:35 config-abcdefg.txt
Additional info:
- is cloned by
-
-
- Closed
-
