When using systemd as the entrypoint in a container, and applying the spc_t selinux relabeling workaround, systemd somehow is preventing the config map mount from working correctly resulting in broken file permissions

% kubectl exec -it deployments/test -- ls -hlanZ /test            
ls: cannot access '/test/config-abcdefg.txt': Permission denied
total 0
drwxr-xr-x. 2 0 0 system_u:object_r:container_file_t:s0:c14,c27 32 Dec 10 04:29 .
dr-xr-xr-x. 1 0 0 system_u:object_r:container_file_t:s0:c14,c27 51 Dec 10 04:29 ..
-?????????? ? ? ? ?                                              ?            ? config-abcdefg.txt

    

OCP 4.16.45

Apply the below manifest (change selinux level to match namespace)

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tim-test-scc-bind
  namespace: tim-test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:openshift:scc:privileged
subjects:
- kind: ServiceAccount
  name: default
  namespace: tim-test
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: test-config
  namespace: tim-test
data:
  config.txt: |
    Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test
  namespace: tim-test
  labels:
    app: test
spec:
  strategy:
    type: Recreate
  replicas: 1
  selector:
    matchLabels:
      app: test
  template:
    metadata:
      name: test
      labels:
        app: test
    spec:  
      enableServiceLinks: false
      securityContext:
        fsGroup: 0
        fsGroupChangePolicy: "OnRootMismatch"
        runAsUser: 0
        runAsGroup: 0
        seLinuxOptions:
          type: "spc_t"
          level: s0:c27,c14
      automountServiceAccountToken: false
      containers:
        - name: test  
          securityContext:
            capabilities:
              drop:
              - ALL
          tty: true
          imagePullPolicy: IfNotPresent
          # image: docker.io/redhat/ubi8:8.10
          image: docker.io/redhat/ubi9
          command: [/lib/systemd/systemd]
          volumeMounts:
            - mountPath: /test/config-abcdefg.txt
              name: config
              subPath: config.txt
          env:
          - name: SYSTEMD_LOG_TARGET
            value: console
          - name: SYSTEMD_LOG_LEVEL
            value: debug      volumes:
      - name: config
        configMap:
          name: test-config

    1. modify selinux.level + namespace to match namespace mcs and destniation namespace.
    2. kubectl exec -it deployments/test -- ls -hlanZ /test
    

kubectl exec -it deployments/test -- ls -hlanZ /test            
ls: cannot access '/test/config-abcdefg.txt': Permission denied
total 0
drwxr-xr-x. 2 0 0 system_u:object_r:container_file_t:s0:c14,c27 32 Dec 10 04:29 .
dr-xr-xr-x. 1 0 0 system_u:object_r:container_file_t:s0:c14,c27 51 Dec 10 04:29 ..
-?????????? ? ? ? ?                                              ?            ? config-abcdefg.txt

kubectl exec -it deployments/test -- ls -hlanZ /test
total 4.0K
drwxr-xr-x. 2 0 0 system_u:object_r:container_file_t:s0:c14,c27  32 Dec 10 04:35 .
dr-xr-xr-x. 1 0 0 system_u:object_r:container_file_t:s0:c14,c27  51 Dec 10 04:35 ..
-rw-r--r--. 1 0 0 system_u:object_r:container_file_t:s0:c14,c27 575 Dec 10 04:35 config-abcdefg.txt