Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-3128

grant access to unprivileged containers to the kubelet podresources socket

    XMLWordPrintable

Details

    • Critical
    • sst_container_tools
    • 3
    • False
    • Hide

      None

      Show
      None
    • If docs needed, set a value

    Description

      Description of problem:
      containerized workloads running as container_t wants to connect to the kubelet podresources API through a unix domain socket sitting at `/var/lib/kubelet/pod-resources/kubelet.sock`

      Both `/var/lib/kubelet/pod-resources/kubelet.sock` and `/var/lib/kubelet/pod-resources/kubelet.sock` are currently labeled as `container_var_lib_t`.

      They should probably treated as device plugins

      This is specially important to enable the numa-aware scheduler (

      Version-Release number of selected component (if applicable):
      selinux-policy-38.1.8-1.el9.noarch
      selinux-policy-targeted-38.1.8-1.el9.noarch
      container-selinux-2.199.0-1.el9.noarch

      How reproducible:
      100%

      Steps to Reproduce:
      1. run unprivileged container, mount the kubelet podresources socket (see attached example yaml)
      2. try to access to the podresources socket. Example test client available at https://github.com/k8stopologyawareschedwg/podresourcesapi-tools/releases/tag/v0.0.1 - `podrescli --podresources-socket unix:///host-podresources-socket/kubelet.sock`
      3.

      Actual results:
      avc denials:
      ```
      type=AVC msg=audit(1679405027.674:79402): avc: denied

      { write } for pid=2236325 comm="podrescli" name="kubelet.sock" dev="sdb4" ino=144703618 scontext=system_u:system_r:container_t:s0:c25,c26 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=sock_file permissive=0
      type=AVC msg=audit(1679405031.376:79403): avc: denied { write }

      for pid=2236496 comm="podrescli" name="kubelet.sock" dev="sdb4" ino=144703618 scontext=system_u:system_r:container_t:s0:c25,c26 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=sock_file permissive=0
      type=AVC msg=audit(1679405032.046:79404): avc: denied

      { write }

      for pid=2236590 comm="podrescli" name="kubelet.sock" dev="sdb4" ino=144703618 scontext=system_u:system_r:container_t:s0:c25,c26 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=sock_file permissive=0
      ```

      Expected results:
      access should be granted

      Additional info:
      at the moment we are using a custom policy. We can keep using this a stopgap fix. The policy is also broken with the above package

      policy: https://github.com/k8stopologyawareschedwg/deployer/blob/main/pkg/assets/rte/selinuxpolicy-ocp411.cil
      denials:
      ```
      type=AVC msg=audit(1679044968.338:5383): avc: denied

      { connectto }

      for pid=10664 comm="resource-topolo" path="/var/lib/kubelet/pod-resources/kubelet.sock" scontext=system_u:system_r:rte.process:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
      ```
      In that (different nightly though) system the label was
      ```
      srwxr-xr-x. 1 root root system_u:object_r:container_var_lib_t:s0 0 Mar 15 22:02 /var/lib/kubelet/pod-resources/kubelet.sock
      ```

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-20022 SELinux: kubelet running with wrong label

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-22270 SELinux: kubelet running with wrong label [4.14.z]

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-22273 SELinux: kubelet running with wrong label [4.12.z]

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-20022 SELinux: kubelet running with wrong label

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          external trackers

          Web Link Red Hat Issue Tracker RHELPLAN-152667

          links to

          GitHub openshift/machine-config-operator#4120: [release-4.13] OCPBUGS-27172,OCPBUGS-22272: kubelet: fix kubelet labels

          Activity

            People

              rhatdan Daniel Walsh (Inactive)
              fromani@redhat.com Francesco Romani
              Container QE Container QE Container QE Container QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: