[atomic-devel] kubernetes pod can't access secret volume due to avc

[Tobias Florek <atomic ibotty net>]

Hi,

using the following atomic host version I can't access secret volumes 
from within pods due to an AVC and selinux denying it. Is there some 
setup step that I am missing?

os-version:
 atomic host status:
   2015-07-15 23:33:20     22.61     db540a53ba     fedora-atomic
 i.e.
   kubernetes-0.20.0-0.3.git835eded.fc22.x86_64
   docker-1.7.0-6.git74e7a7a.fc22.x86_64
   selinux-policy-3.13.1-128.4.fc22.noarch


The AVC (a little redacted) looks like that

type=AVC msg=audit(1437118925.236:8577): avc:  denied  { read } for 
pid=16637 comm="fedora" name="key" dev="tmpfs" ino=680330 
scontext=system_u:system_r:svirt_lxc_net_t:s0:c133,c544 
tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


audit2allow recommends (not to)

#============= svirt_lxc_net_t ==============

#!!!! WARNING: 'var_lib_t' is a base type.
allow svirt_lxc_net_t var_lib_t:file read;


see the following example to replicate the behavior.

sample replication controller:

apiVersion: v1
kind: ReplicationController
metadata:
  labels:
    name: test
  name: test
spec:
  replicas: 1
  selector:
    name: test
  template:
    metadata:
      labels:
        name: test
    spec:
      containers:
        - args:
            - /bin/bash
            - "-c"
            - "whoami; ls -hlR /config; getfacl /config; getfacl 
/config/key; cat /config/key"
          image: fedora
          name: test
          volumeMounts:
            - mountPath: /config
              name: config
              readOnly: true
      volumes:
        - name: config
          secret:
            secretName: test


and the following secret

apiVersion: v1
kind: Secret
metadata:
  name: test
type: Opaque
data:
  key: dmFsdWUtMg0K


Cheers,
 Tobias Florek

PS: unfortunately I will be gone for 10 days and will not be able to 
answer before.