On 04/07/2016 03:17 PM, Praveen Kumar wrote:
Hi,
Long back Thomas filled a issue[0] about SELinux policy for kubernetes
storage volumes. I was looking into it and filled a bug[1] for same
also was able to get in touch with Daniel J Walsh and Paul. As per
given suggestions and with some of experiments I did, I am still not
sure if that is good idea to set SELinux-context directory wide.
My understanding is that these suggestions are workarounds as the issue
is not fixed in upstream K8s yet. I can see one PR is merged [1] but
seems it does not solve the issue.
[1] https://github.com/kubernetes/kubernetes/pull/14192
In ideal situation k8s service suppose to relabel SELinux context for
each pod's mount point and a external container (not part of the pod)
should not access that volume but that is not happening currently if
we set SELinux-context directory wide.
Any Suggestions?
[0] https://github.com/projectatomic/adb-atomic-developer-bundle/issues/117
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1298568
The issue is marked for ADB/CDK 2.0 release and it seems we need to
spend more time on it which we don't have for 2.0. So I will suggest we
remove it from 2.0 milestone.
_______________________________________________
Container-tools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/container-tools
