I know this question is asked many times, but all about docker, this time is crio.
CentOS Linux release 7.6
CRI-O Version: 1.16.1
Kubernetes: v1.16.3
KubeAdm: v1.16.3
CoreDNS pods are in Error/CrashLoopBackOff state, and audit.log shows selinux prevents CoreDNS to read from /var/lib/kubelet/container_id/volumes/
type=AVC msg=audit(1576203392.727:1431): avc: denied { read } for pid=15866 comm="coredns" name="Corefile" dev="dm-0" ino=35369330 scontext=system_u:system_r:container_t:s0:c307,c586 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1576203392.727:1431): avc: denied { open } for pid=15866 comm="coredns" path="/etc/coredns/..2019_12_13_02_13_30.965446608/Corefile" dev="dm-0" ino=35369330 scontext=system_u:system_r:container_t:s0:c307,c586 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1576203393.049:1432): avc: denied { open } for pid=15866 comm="coredns" path="/var/run/secrets/kubernetes.io/serviceaccount/..2019_12_13_02_13_30.605147375/token" dev="tmpfs" ino=124481 scontext=system_u:system_r:container_t:s0:c307,c586 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
if I use docker newer than 1.7, it works fine, I assume this may related with the patch of mounting volume with z/Z option.
I can add policy like underneath, but it will compromise security.
module coredns 0.1;
require {
type tmpfs_t;
type container_t;
type var_lib_t;
class file { open read };
}
allow container_t tmpfs_t:file open;
allow container_t var_lib_t:file { open read };
any better solution exists? just like docker, with a little efforts and don’t compromise security.
3
Answers
I did it by the command underneath.
On the host do the following
chcon -R -t container_file_t
/var/lib/kubelet/container_id/volumes
This will change the label on the host volumes to be accessible by the containers SELinux label.
I do not know of a good way to handle the passing in of secrets. But adding the
allow container_t tmpfs_t:file open;
Would be probably best.
In OpenShift these are all handled Automatically, I believe. Although I don’t work at that level of the stack.
I’ve looked into it and it seems that the problem lays in kubelet version. Let me elaborate on that:
SELinux Volumes not relabeled in 1.16 – this link is providing more details about the issue.
I tried to reproduce this coredns issue on different versions of Kubernetes.
Issue shows on version 1.16 and newer. It seems to work properly with SELinux enabled on the version 1.15.6
For this to work you will need working CentOS and CRI-O environment.
CRI-O version:
To deploy this insfrastructure I followed this site for the most part: KubeVirt
Kubernetes v1.15.7
Steps to reproduce:
$ setenforce 0
$ sed -i s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config
$ reboot
$ sestatus
$ yum install INSERT_PACKAGES_BELOW
$ kubeadm init --pod-network-cidr=10.244.0.0/16
$ kubectl apply -f https://github.com/coreos/flannel/raw/master/Documentation/kube-flannel.yml
Check if coredns pods are running correctly with command:
$ kubectl get pods -A
It should give similar output to that:
Coredns pods in kubernetes cluster with SELinux disabled are working properly.
Enable SELinux:
From root account invoke commands to enable SELinux and restart the machine:
$ setenforce 1
$ sed -i s/^SELINUX=.*$/SELINUX=enforcing/ /etc/selinux/config
$ reboot
Check if coredns pods are running correctly. They should not get crashloopbackoff error when running:
kubectl get pods -A
Kubernetes v1.16.4
Steps to reproduce:
$ kubeadm reset
if coming from another another version$ yum remove OLD_PACKAGES
$ setenforce 0
$ sed -i s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config
$ reboot
$ sestatus
$ yum install INSERT_PACKAGES_BELOW
$ kubeadm init --pod-network-cidr=10.244.0.0/16
$ kubectl apply -f https://github.com/coreos/flannel/raw/master/Documentation/kube-flannel.yml
Check if coredns pods are running correctly with command:
$ kubectl get pods -A
It should give similar output to that:
Enable SELinux:
From root account invoke commands to enable SELinux and restart the machine:
$ setenforce 1
$ sed -i s/^SELINUX=.*$/SELINUX=enforcing/ /etc/selinux/config
$ reboot
After reboot coredns pods should enter crashloopbackoff state as shown below:
Logs from the pod
coredns-5644d7b6d9-fgbkl
show: