[BUG] SeLinux on EC2 RHEL 8,4 block pod to access serviceaccount mount #310
Description
What happened:
From a workload pod, it has the following logs showing the pod doesn't have permission to access the mounted serviceaccont.
"unable to find leader election namespace: error checking namespace file: stat /var/run/secrets/kubernetes.io/serviceaccount/namespace: permission denied"
What you expected to happen:
Workload pod can access the mounted serviceaccont.
How to reproduce it (as minimally and precisely as possible):
- run microshift on ec2 RHEL
- deploy some pods which have a
serviceaccountmounted, thenexecinto the pod - then run
stat /var/run/secrets/kubernetes.io/serviceaccount/namespace(assuming the service account has a namespace field)
Anything else we need to know?:
After disable selinux(setenforce 0), the pod is able to access the mounted service account.
Slack conversation is at: https://microshift.slack.com/archives/C025AQ0QD8B/p1632421234103900
Environment:
- Microshift version (use
microshift version): Microshift Version: 4.7.0-0.microshift-2021-08-31-224727 - Hardware configuration: t2.xlarge
- OS (e.g:
cat /etc/os-release): Red Hat Enterprise Linux 8.4 (Ootpa) - Kernel (e.g.
uname -a): Linux ip-172-31-32-38.ec2.internal 4.18.0-305.el8.x86_64 Init #1 SMP Thu Apr 29 08:54:30 EDT 2021 x86_64 x86_64 x86_64 GNU/Linux - Others: