Hi, Long back Thomas filled a issue[0] about SELinux policy for kubernetes storage volumes. I was looking into it and filled a bug[1] for same also was able to get in touch with Daniel J Walsh and Paul. As per given suggestions and with some of experiments I did, I am still not sure if that is good idea to set SELinux-context directory wide.
In ideal situation k8s service suppose to relabel SELinux context for each pod's mount point and a external container (not part of the pod) should not access that volume but that is not happening currently if we set SELinux-context directory wide. Any Suggestions? [0] https://github.com/projectatomic/adb-atomic-developer-bundle/issues/117 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1298568 -- Praveen Kumar http://fedoraproject.org/wiki/User:Kumarpraveen http://fedoraproject.org/ http://kumar-pravin.blogspot.com _______________________________________________ Container-tools mailing list [email protected] https://www.redhat.com/mailman/listinfo/container-tools
