Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix CSI drivers and kaniko #983

Merged
merged 5 commits into from
Jul 10, 2020
Merged

fix CSI drivers and kaniko #983

merged 5 commits into from
Jul 10, 2020

Conversation

bcressey
Copy link
Contributor

Issue number:
#975 , #981

Description of changes:
Fix the EBS CSI driver by allowing it to manage tmpfs mounts.

Add a separate label for /etc and ensure that it's applied so it can't be unmounted or mounted over. Remove the preinit helper since we no longer need it.

Allow transitions into the container domains from either local_t (on the overlay) or cache_t (on the lower directories) since both are valid. This fixes the Kaniko debug image when running it with a command that resides in a VOLUME.

Testing done:
E2E tests pass for 1.15, 1.16, 1.17.

Verified that Kaniko can run:

$ kubectl run -it --image gcr.io/kaniko-project/executor:debug-v0.19.0 test --restart Never --rm --command /busybox/sh
If you don't see a command prompt, try pressing enter.
/ # ls
busybox  dev      etc      kaniko   proc     sys      var

Verified the EBS CSI driver by testing the "block-volume" and "dynamic-provisioning" examples.

Verified the EFS CSI driver by testing the "static_provisioning" example.

Verified that container_t cannot unmount or mount over /etc.

# echo -n 'system_u:system_r:container_t:s0' > /proc/self/attr/current

# umount /etc
[   51.416804] audit: type=1400 audit(1594388242.662:4): avc:  denied  { unmount } for  pid=3497 comm="umount" scontext=system_u:system_r:container_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=filesystem permissive=0
umount: /etc: block devices are not permitted on filesystem.

# mount -t tmpfs tmpfs /etc/resolv.conf
[   28.224870] audit: type=1400 audit(1594388443.687:5): avc:  denied  { mounton } for  pid=3495 comm="mount" path="/etc/resolv.conf" dev="tmpfs" ino=14324 scontext=system_u:system_r:container_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
[   28.234127] audit: type=1400 audit(1594388443.695:6): avc:  denied  { mounton } for  pid=3495 comm="mount" path="/etc/resolv.conf" dev="tmpfs" ino=14324 scontext=system_u:system_r:container_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
mount: /etc/resolv.conf: cannot mount tmpfs read-only.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@bcressey
selinux-policy: revise policy for tmpfs mounts
21b3047 
We need to allow containers to manage tmpfs mounts, since this is
expected by the EBS CSI driver, and is a pretty reasonable thing
to want to do.

We also need to avoid letting containers manage the tmpfs mount for
/etc, since this would offer a way to replace the configuration and
service files we generate.

Signed-off-by: Ben Cressey <[email protected]>
@bcressey
systemd: handle mount for /etc
b1b3acf 
This eliminates the need for a separate preinit program to handle the
mount for /etc, and ensures that the filesystem is labeled correctly.

Signed-off-by: Ben Cressey <[email protected]>
@bcressey
remove laika
607fb17 
Now that systemd handles the /etc mount, we no longer need it.

Signed-off-by: Ben Cressey <[email protected]>
@bcressey
release: mount tmpfs on /etc/cni
ea01afc 
This allows CNI plugin containers to write the configuration that
containerd uses, even if they are not running with a privileged
label.

Signed-off-by: Ben Cressey <[email protected]>
@bcressey
selinux-policy: enable transitions via cache_t
102d29d 
When starting a container with a command that resides in a different
layer, `runc` might see the lower label (`cache_t`) rather than the
upper one (`local_t`).

Either type is a valid entrypoint into the container domain.

Signed-off-by: Ben Cressey <[email protected]>
@bcressey bcressey added this to the v0.4.1 milestone Jul 10, 2020
This was linked to issues Jul 10, 2020
SELinux policy interfering with EBS CSI driver #975
Closed
SELinux policy interfering with kaniko #981
Closed
@bcressey bcressey merged commit 05ad2d9 into bottlerocket-os:develop Jul 10, 2020
@bcressey bcressey deleted the selinux-fixes branch July 10, 2020 16:17
@bcressey bcressey mentioned this pull request Jul 10, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamieand jamieand jamieand approved these changes

@tjkirch tjkirch tjkirch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.4.1
Development

Successfully merging this pull request may close these issues.

SELinux policy interfering with kaniko SELinux policy interfering with EBS CSI driver
3 participants
@bcressey @tjkirch @jamieand