-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
podman play kube does not set selinux private labels #13840
Comments
Kubernetes yaml files have no way to differentiate between :Z and :z, so we default to the most sharing. |
Then I think this should be added as another note to the docs, it all makes sense now... but only after reading a few comments here on github, like this #2575 (comment) |
Please open a PR to how you want the docs to look. |
I'm not sure at this point if something has changed in podman 4, I'll try to test again with it before sending a PR, right now I do not understand when does podman (3.4.4) set a private label for a volume. A named volume is set with a shared label, a bind mount from the host.. is not even relabeled with podman play kube. |
Podman (v4.0.2) (as root) does not set a private label for a volume with play kube. It does not relabel a bind mount, named volumes get a shared label. I'll open a PR to correct the docs. |
Correct podman play kube has no way of signally in the kubernetes.yaml file how to label content, this is governed by Kubernetes. Kubernetes says some other tool is required to setup the labeling. Since Podman cannot change the YAML file, we need to follow the kubernetes rules. |
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Podman allows to use private SELinux labels for named volumes by adding :Z at the end of the bind mount specification. Looks like podman generate kube and podman play kube discard this setting and instead default to a SELinux shared label.
Steps to reproduce the issue: (as root on the host)
So c1 has pvol with private label and c2 has shvol with a shared label. I also noticed that containers in a pod share the same SELinux label, I did not know that (c262,c353)
4. Exit the container, then
5.
podman generate kube testpod -f play.yml
These are play.yml contents:
podman pod rm -f testpod
podman volume rm pvol shvol
podman play kube play.yml
Describe the results you received: as you can see, both new containers (with new SELinux labels) have a named volume (pvol and shvol), both with shared label.
Describe the results you expected: pvol should have label system_u:object_r:container_file_t:s0:c194,c583 and shvol is fine.
Additional information you deem important: I think documentation of podman play kube should also be updated, right now in https://docs.podman.io/en/latest/markdown/podman-play-kube.1.html it says that "Note: hostPath volume types created by play kube will be given an SELinux private label (Z)".
Named volumes instead have a shared label, this (I think) should be added.
Output of
podman version
:Output of
podman info --debug
:Package info (e.g. output of
rpm -q podman
orapt list podman
):Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)
No
The text was updated successfully, but these errors were encountered: