K
Q

Kubernetes serviceAccounts and SELinux

2/11/2016

We are running Kubernetes with SELinux enabled. We would like to use serviceAccounts. When I disable SELinux containers can read the secrets, as expected.

But, when I enable SELinux we cannot read the secrets inside the container. For example:

localhost$ kubectl exec -it my-pod bash
my-pod$ ls /var/run/secrets/kubernetes.io/serviceaccount/
token
my-pod$ cat /var/run/secrets/kubernetes.io/serviceaccount/token
Permission denied

What is the recommended way to use serviceAccounts with SELinux?

Thanks, Andrej

-- Andrej
kubernetes
selinux

Similar Questions

Google Cloud Cluster Container
Google Container Engine Auto deleting services/pods
Running Meteor app with Nginx SSL proxy on Kubernetes
Get internal IP of pod that is being killed in Kubernetes?

2 Answers

2/11/2016

You probably need to run the following command to set the SELinux context correctly in the volumes directory. I have an open issue to make this happen automatically in the future:

sudo chcon -Rt svirt_sandbox_file_t /var/lib/kubelet

Hope that helps.

-- Paul Morie
Source: StackOverflow
4/28/2016

There is an selinux policy rule for it (in Fedora 23 at least) but unfortunately it has a typo.

semanage fcontext -l | grep /var/lib/kub
/var/lib/kublet(/.*)?                              all files          system_u:object_r:docker_var_lib_t:s0

Should be "kubelet". I opened a bug here.

-- Seth Jennings
Source: StackOverflow