I know this question is asked many times, but all about docker, this time is crio.
CentOS Linux release 7.6
CRI-O Version: 1.16.1
Kubernetes: v1.16.3
KubeAdm: v1.16.3
CoreDNS pods are in Error/CrashLoopBackOff state, and audit.log shows selinux prevents CoreDNS to read from /var/lib/kubelet/container_id/volumes/
type=AVC msg=audit(1576203392.727:1431): avc: denied { read } for pid=15866 comm="coredns" name="Corefile" dev="dm-0" ino=35369330 scontext=system_u:system_r:container_t:s0:c307,c586 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1576203392.727:1431): avc: denied { open } for pid=15866 comm="coredns" path="/etc/coredns/..2019_12_13_02_13_30.965446608/Corefile" dev="dm-0" ino=35369330 scontext=system_u:system_r:container_t:s0:c307,c586 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1576203393.049:1432): avc: denied { open } for pid=15866 comm="coredns" path="/var/run/secrets/kubernetes.io/serviceaccount/..2019_12_13_02_13_30.605147375/token" dev="tmpfs" ino=124481 scontext=system_u:system_r:container_t:s0:c307,c586 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
if I use docker newer than 1.7, it works fine, I assume this may related with the patch of mounting volume with z/Z option.
I can add policy like underneath, but it will compromise security.
module coredns 0.1;
require {
type tmpfs_t;
type container_t;
type var_lib_t;
class file { open read };
}
allow container_t tmpfs_t:file open;
allow container_t var_lib_t:file { open read };
any better solution exists? just like docker, with a little efforts and don't compromise security.
On the host do the following
chcon -R -t container_file_t /var/lib/kubelet/container_id/volumes
This will change the label on the host volumes to be accessible by the containers SELinux label.
I do not know of a good way to handle the passing in of secrets. But adding the
allow container_t tmpfs_t:file open;
Would be probably best.
In OpenShift these are all handled Automatically, I believe. Although I don't work at that level of the stack.