-
Notifications
You must be signed in to change notification settings - Fork 493
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SELinux seems to be blocking spire csi driver installation. #3833
Labels
status/icebox
Things we think would be nice but are not prioritized
Comments
@empath-nirvana Thankyou for bringing this up. I will try to replicate this and get back to you. |
I resolved this -- for anybody else trying to figure this out -- you need to add this init container to the spire csi driver/agent pod initContainers:
- name: set-context
image: ubuntu:22.04
command: ["chcon", "-Rt", "container_file_t", "spire-agent-socket/"]
volumeMounts:
- name: spire-agent-socket-dir
mountPath: /spire-agent-socket
securityContext:
seLinuxOptions:
role: system_r
user: system_u
type: "super_t" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I followed the spire/istio quick start here and I'm seeing a lot of selinux denials on the node:
[ 9787.965707] audit: type=1400 audit(1710880774.925:558): avc: denied { search } for pid=33158 comm="sh" name="spire-agent-socket-dir" dev="nvme1n1p1" ino=288654 scontext=system_u:system_r:container_t:s0:c244,c337 tcontext=system_u:object_r:data_t:s0:c839,c970 tclass=dir permissive=0
Image I'm using:
bottlerocket-aws-k8s-1.26-x86_64-v1.19.2-29cc92cc
What I expected to happen:
I should be able to mount the csi driver socket as a volume.
What actually happened:
I get permission denied errors.
How to reproduce the problem:
https://istio.io/latest/docs/ops/integrations/spire/
Follow the quick start tutorial in the istio documentation here, the ingress gateway won't come up because of permissions problems.
Maybe this is just a user error sort of thing and I need to fix the security context or something that needs to be fixed in the spire agent, but there's a work around here:
spiffe/spiffe-csi#54 (comment)
that supposedly fixes the issue in OpenShift but doesn't resolve it for bottlerocket. (i get permission denied when trying to relabel the file)
The text was updated successfully, but these errors were encountered: