SELinux hostPath issue on 2.x

[Viktor-Osika]

After creating a new cluster with 2.x version of the terraform module, I am now observing permission denied errors on Promtail.
The Pod is trying to access a hostPath mount at /run/promtail and can't.
I checked the permissions on the agent node for that directory and I see SELinux label on /run/promatil container_var_run_t which I don't believe is accessible by Promtail process which is container_t.
Previously I don't remember that I had this issue, so I suppose something has changed in 2.x?

What would be the easiest way to fix the labels/policies to make hostPath RW mount working? I am no expert in SELinux, and I've read this article discussing a similar issue but I don't know how to properly apply it to MicroOS and K3S combo.

[Viktor-Osika]

I also have a similar issue now with node-exporter open /host/proc/1/mounts: permission denied which wasn't there before.

The obvious quick fix is to run both pods as privileged, but I wonder if there is a more security-friendly solution.

[thomasprade]

I'm having the same problem with postgres.
The pod is configured with a node selector and uses a volume in hostPath: /var/pgdata for the persistent data volume
Since the update the pod crashes on startup with the error:

chmod: changing permissions of '/var/lib/postgresql/data/pgdata': Permission denied TIMESTAMP find: ‘/var/lib/postgresql/data/pgdata’: Permission denied
chown: changing ownership of '/var/lib/postgresql/data/pgdata': Permission denied

The workaround, running the pod as priviliged, got the pod running again.
But changing the hostPath to /opt/pgdata also worked without any other changes.

[mysticaltech]

@Viktor-Osika @thomasprade Sorry just seeing this now. It's very easy to add the needed SELinux rules, see here #697 (comment).