Set container file label on workload API directory #105
Conversation
azdagron
force-pushed
the
azdagron/set-selinux-container-file-label
branch
5 times, most recently
from
8446c10
to
6d03ceb
Compare
azdagron
force-pushed
the
azdagron/set-selinux-container-file-label
branch
2 times, most recently
from
ffecf38
to
fc4fe9c
Compare
There was a problem hiding this comment.
Thanks, @azdagron! I would like to test this in our clusters with enforcing SELinux. Are images from PRs available from CI, or do I have to build it myself to test? I have been able to reproduce the issue on Openshift, but also on Rancher RKE2 with SELinux enforcing.
test/config/spiffe-csi-driver.yaml
Outdated
| @@ -50,7 +50,7 @@ spec: | |||
| # driver will mount this directory into containers. | |||
| - mountPath: /spire-agent-socket | |||
| name: spire-agent-socket-dir | |||
| readOnly: true | |||
| #readOnly: true | |||
There was a problem hiding this comment.
| #readOnly: true |
Or we could explicitly set it to false, with a comment about why?
There was a problem hiding this comment.
Oh whoops, I didn't mean to leave this commented line in. But yes, I agree that being explicit and adding a comment would be very helpful and self-documenting.
pkg/driver/driver.go
Outdated
| // Set the SELinux label on the workload API directory. This allows the | ||
| // mount to be used within OpenShift, for example. This will fail if the | ||
| // Workload API socket directory is mounted read-only. | ||
| if err := chcon(config.WorkloadAPISocketDir, seLinuxContainerFileLabel, true); err != nil { |
There was a problem hiding this comment.
Would it make sense to check if SELinux is in enforcing mode before attempting this? That would allow users without enforcing SELinux to use a read-only mount and avoid log errors.
There was a problem hiding this comment.
That seems reasonable. I'll look into how to do that.
Unfortunately not at the moment. You'll have to build it yourself. Once it is merged, the nightly workflow will publish the image. |
|
Hey, @erikgb ! I'd love to get this into a release soon. Have you had a chance to give this a go, by chance? |
Hi @azdagron! I had a look at building the image myself a couple of weeks ago. And the combination of a quite complex image build and me sitting on a corporate network appeared like a bad combination. 😉 But after your last poke, I did another attempt. And I think I managed to build the image from a local mirror with some minor adjustments to the build process. I started off the upstream main branch, just to see that things were working as before. As I cannot "play around" in our Openshift clusters, I had to use our development RKE2 cluster - where I have reproduced the problem earlier.
So my testing so far shows that this PR does NOT currently fix the problem. Are you able to add some more logging to verify that I haven't messed up my local image build? Or maybe try it yourself in a cluster with SELinux enabled? I'll recommend Rancher RKE2 which we run in a single node configuration for early testing like this. |
|
After removing the init-container, this appears to work, but I'll guess that's because the SELinux settings are already applied on my node. If I change the host path for the agent sockets to a new directory, I'm back to the error in the example-workload: With the init-container in place this works again: |
|
Thanks for giving that a go @erikgb! I've shuffled the code to unconditionally log SELinux status before attempting to do the chcon: If you build and load the image correctly, you should get a log line like the following (except my status shows not enabled) Note that If you have time to give it a whirl, that would be helpful. In the meantime I'm going to attempt to get RKE2 up. |
azdagron
force-pushed
the
azdagron/set-selinux-container-file-label
branch
from
f36d619
to
7c0cfad
Compare
This allows the driver to be used within OpenShift without using an init container to set the label. Fixes #54. Signed-off-by: Andrew Harding <[email protected]>
Signed-off-by: Andrew Harding <[email protected]>
Signed-off-by: Andrew Harding <[email protected]>
azdagron
force-pushed
the
azdagron/set-selinux-container-file-label
branch
from
7c0cfad
to
84bcf56
Compare
|
@azdagron The added logging is interesting: Very strange indeed. SELinux is for sure enabled, causing the permission denied without the init container. Could there be some native requirements (inside container) for using https://github.com/opencontainers/selinux? I haven't looked at the code, but if it is (just) a Go wrapper around |
|
I did a quick test using |
|
Is SELinux fs visible in the CSI driver container? or does it need to be mounted somehow? |
|
@azdagron That was a good lead! Inspired by kubernetes-sigs/aws-ebs-csi-driver#1544 (comment) adding the volumes gives another behavior: |
|
Ok, looks like I'm going to need to get RKE2 or something similar going to get this buttoned down. Looks like this story might be improving for k8s 1.27 as well (with CSI driver support): https://kubernetes.io/blog/2023/04/18/kubernetes-1-27-efficient-selinux-relabeling-beta/ |
|
Any progress on this? We're up to k8s 1.29 now and that feature has been on by default since 1.28 |
|
@empath-nirvana It would help if you could test this feature branch! And suggest improvements that might solve the issue. @azdagron Are you able to rebase this PR? Seems like there are some conflicting files. |
This allows the driver to be used within OpenShift without using an init container to set the label.
This PR attempts to set the label unconditionally. It will fail on existing deployments that mount the Workload API socket directory read-only into the CSI driver container. Results are logged.
Fixes #54.