Skip to content

[BUG] SeLinux on EC2 RHEL 8,4 block pod to access serviceaccount mount #310

Closed
#325
Closed
[BUG] SeLinux on EC2 RHEL 8,4 block pod to access serviceaccount mount#310
#325
Assignees
cooktheryan
Labels
kind/bugCategorizes issue or PR as related to a bug.
@ianzhang366

Description

@ianzhang366
ianzhang366
opened on Sep 24, 2021

What happened:

From a workload pod, it has the following logs showing the pod doesn't have permission to access the mounted serviceaccont.

"unable to find leader election namespace: error checking namespace file: stat /var/run/secrets/kubernetes.io/serviceaccount/namespace: permission denied"

What you expected to happen:

Workload pod can access the mounted serviceaccont.

How to reproduce it (as minimally and precisely as possible):

  1. run microshift on ec2 RHEL
  2. deploy some pods which have a serviceaccount mounted, then exec into the pod
  3. then run stat /var/run/secrets/kubernetes.io/serviceaccount/namespace (assuming the service account has a namespace field)

Anything else we need to know?:

After disable selinux(setenforce 0), the pod is able to access the mounted service account.

Slack conversation is at: https://microshift.slack.com/archives/C025AQ0QD8B/p1632421234103900

Environment:

  • Microshift version (use microshift version): Microshift Version: 4.7.0-0.microshift-2021-08-31-224727
  • Hardware configuration: t2.xlarge
  • OS (e.g: cat /etc/os-release): Red Hat Enterprise Linux 8.4 (Ootpa)
  • Kernel (e.g. uname -a): Linux ip-172-31-32-38.ec2.internal 4.18.0-305.el8.x86_64 Init #1 SMP Thu Apr 29 08:54:30 EDT 2021 x86_64 x86_64 x86_64 GNU/Linux
  • Others:

Relevant Logs

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions