Comments (5)
Okay I think I have figured out the problem:
the problem is related MCS labels, and multi container access on the same file:
ps auxZ | grep local-path
system_u:system_r:container_t:s0:c608,c1006 root 10449 0.0 0.9 1265432 36588 ? Ssl 18:05 0:00 local-path-provisioner start --config /etc/config/config.json
As you can see local-path-provisioner started with MCS label s0:c608,c1006
however the helper pod that tries to delete the files has started with MCS label s0:c212,c497
which doesnt have access to that file category
type=AVC msg=audit(1716402374.003:883): avc: denied { read } for pid=14858 comm="ls" name="pvc-31023300-a21e-45ea-b177-70d8f26389b6_kube-system_test-pvc" dev="xvda4" ino=184552397 scontext=system_u:system_r:container_t:s0:c212,c497 tcontext=system_u:object_r:container_file_t:s0:c310,c608 tclass=dir permissive=0
for more info https://www.redhat.com/en/blog/how-selinux-separates-containers-using-multi-level-security
The fix is simply giving the helper pod more range of security context MCS categories, I have added a PR to fix that in local-path-provisioner to make it a permanent solution
from k3s.
from k3s.
The log doesnt make a lot of sense in my opinion, the denial is a read access from source (container_t) to (container_file_t) which should be available if container-selinux is available, can you check the following:
rpm -qa | grep selinux
also
semodule -l
I need to see what version of container-selinux version is used and if the k3s-selinux is actually loaded not only installed
from k3s.
can you check
Sure:
rpm.txt
semodule.txt
from k3s.
Reproduced with selinux in audit
Validated with COMMIT=d9b8ba8d7109ca098c379d170eb412879c5ee94e
type=AVC msg=audit(1717714359.907:540): avc: denied { remove_name } for pid=7527 comm="rm" name="pvc-34f0f671-74e7-4637-bc8d-621c631cda7d_kube-system_test-pvc" dev="xvda3" ino=92284451 scontext=system_u:system_r:container_t:s0:c62,c578 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1
//showing expanded file categories
$ sudo ps auxZ | grep local-path
system_u:system_r:container_t:s0:c483,c762 root 3740 0.0 0.8 1265184 33320 ? Ssl 23:34 0:00 local-path-provisioner start --config /etc/config/config.json
$ kg pv,pvc,pod -A
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE
persistentvolume/pvc-956284c7-c03a-4955-a634-a7bb4b0960d3 10Mi RWO Delete Bound kube-system/test-pvc local-path <unset> 4m28s
NAMESPACE NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE
kube-system persistentvolumeclaim/test-pvc Bound pvc-956284c7-c03a-4955-a634-a7bb4b0960d3 10Mi RWO local-path <unset> 4m31s
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system pod/coredns-576bfc4dc7-67gmf 1/1 Running 0 5m51s
kube-system pod/helm-install-traefik-95djw 0/1 Completed 1 5m52s
kube-system pod/helm-install-traefik-crd-pfdj8 0/1 Completed 0 5m52s
kube-system pod/local-path-provisioner-86f46b7bf7-xsmpb 1/1 Running 0 5m51s
kube-system pod/metrics-server-557ff575fb-x7bqh 1/1 Running 0 5m51s
kube-system pod/svclb-traefik-9a2525f6-hg9nv 2/2 Running 0 5m36s
kube-system pod/test-pod 1/1 Running 0 4m31s
kube-system pod/traefik-5fb479b77-pdp75 1/1 Running 0 5m37s
$ k delete -f pvc.yaml -f podpvc.yaml
persistentvolumeclaim "test-pvc" deleted
pod "test-pod" deleted
$ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent | grep -i denied
type=AVC msg=audit(1717717275.427:887): avc: denied { remove_name } for pid=7378 comm="rm" name="pvc-956284c7-c03a-4955-a634-a7bb4b0960d3_kube-system_test-pvc" dev="xvda3" ino=26007582 scontext=system_u:system_r:container_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1
from k3s.
Related Issues (20)
- [Release-1.28] - SyncLoadBalancerFailed when using a very long (yet valid) service name
- [Release-1.27] - SyncLoadBalancerFailed when using a very long (yet valid) service name HOT 1
- [Release-1.30] - Load balancer crashing with IPv6 disabled HOT 1
- [Release-1.29] - Load balancer crashing with IPv6 disabled
- [Release-1.28] - Load balancer crashing with IPv6 disabled
- [Release-1.27] - Load balancer crashing with IPv6 disabled HOT 1
- Update docs site release notes as part of release process
- Reconfiguring existing server's kube-apiserver-arg for service account token expiration HOT 4
- Pod to Pod traffic is slow on selective path HOT 1
- IPv6 only Problems HOT 2
- Failed to install k3s HOT 1
- k3s installation script failing HOT 3
- Clarification Needed on Upgrade Script Version for Air-Gap Environments HOT 1
- Improve performance on K3s secrets-encrypt reencrypt HOT 1
- pprof statistics cannot be access when running server with `--disable-agent`
- Build Error
- Add confirmation prompt for `k3s-killall.sh` and `k3s-uninstall.sh`
- Still consuming space in default data directory after configured new `--data-dir` HOT 1
- Complete cluster malfunction after attempting to promote node to control plane HOT 2
- k3s uses WireGuard, some edge nodes cannot communicate normally HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from k3s.