You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: keps/sig-storage/1710-selinux-relabeling/README.md
+6-2Lines changed: 6 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -118,6 +118,10 @@ Further in this KEP we assume that the SELinux is enabled on the system. This KE
118
118
119
119
See [SELinux documentation](https://selinuxproject.org/page/NB_MLS) for more details.
120
120
121
+
In this document we use `container_t` and `container_file_t` labels for container processes / files, which are the default labels on Fedora based distributions (AlmaLinux, CentOS, Red Hat Enterprise Linux, Rocky Linux, ...).
122
+
For example, Debian uses `svirt_lxc_net_t` and `svirt_lxc_file_t` as the default labels for containers, but the principles are the same.
123
+
The implementation of this KEP does not depend on the actual labels used in the system.
124
+
121
125
### SELinux label assignment
122
126
In Kubernetes, the SELinux label of a pod is assigned in two ways:
123
127
1. Either it is set by user in PodSpec or Container: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/.
@@ -465,13 +469,13 @@ spec:
465
469
* Same as the previous story. Kubelet mounts the volume without any SELinux option + the container runtime relabels the volumes recursively.
* If `myclaim` is a RWOP volume (`Spec.AccessModes == ["ReadWriteOncePod']`) *and* the corresponding CSI drivers support SELinux mount, kubelet mounts the volume with `-o context=system_u:object_r:container_file_t:s0:c10,c0`.
472
+
* If `myclaim` is a RWOP volume (`Spec.AccessModes == ["ReadWriteOncePod']`) *and* the corresponding CSI drivers support SELinux mount, kubelet fills the blanks in the `seLinuxOptions` from the system defaults (`user: system_u`, `role: object_r`, `type: container_t` on Fedora based distros), translates them to a file label (`container_t` -> `container_file_t`) and mounts the volume with `-o context=system_u:object_r:container_file_t:s0:c10,c0`.
469
473
* If `myclaim` is any other volume, kubelet mounts the volume without any SELinux option + the container runtime relabels the volume recursively.
470
474
* The secret token volume is relabeled by the container runtime, because Secret and Projected volumes do not support SELinux mount.
* Since there is no `SELinuxChangePolicy` set, kubelet implies `MountOption`.
474
-
If the corresponding CSI driver (or in-tree volume plugin) support SELinux mount, the volume is mounted with `-o context=system_u:object_r:container_file_t:s0:c10,c0`.
478
+
If the corresponding CSI driver (or in-tree volume plugin) support SELinux mount, kubelet fills the blanks in the `seLinuxOptions` from the system defaults as described above and the volume is mounted with `-o context=system_u:object_r:container_file_t:s0:c10,c0`.
475
479
* Otherwise, kubelet mounts the volume without any SELinux option + the container runtime relabels the volume recursively.
476
480
* The secret token volume is relabeled by the container runtime, because Secret and Projected volumes do not support SELinux mount.
0 commit comments