Comments (1)
This happens because the SELinux label is removed by containerd's CRI implementation if the container is privileged. This is similar to how seccomp filters are treated.
Normally this is fine since privileged: true
implies "all the privileges" on most distros, just not on Bottlerocket.
The workaround is to avoid specifying privileged: true
in the security context, and to instead list out everything that is implied by that:
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- AUDIT_CONTROL
- BLOCK_SUSPEND
- DAC_READ_SEARCH
- IPC_LOCK
- IPC_OWNER
- LEASE
- LINUX_IMMUTABLE
- MAC_ADMIN
- MAC_OVERRIDE
- NET_ADMIN
- NET_BROADCAST
- SYSLOG
- SYS_ADMIN
- SYS_BOOT
- SYS_MODULE
- SYS_NICE
- SYS_PACCT
- SYS_PTRACE
- SYS_RAWIO
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- WAKE_ALARM
seccompProfile:
type: Unconfined
seLinuxOptions:
type: super_t
This works unless the privileged container needs access to host devices. Right now, the device cgroup is set to all devices allowed for privileged containers, and there's no way to specify the equivalent in the pod spec without privileged: true
.
from bottlerocket.
Related Issues (20)
- BottleRocket in local VM - Cannot SSH into admin container HOT 6
- Bottlerocket compliance with IRS 1075 HOT 1
- v1.19.3 update eni-max-pods mapping file
- v1.19.3 Host container updates HOT 1
- v1.19.3 Go and Rust dependency updates HOT 1
- v1.19.3 💘 Tracking Issue HOT 2
- SELinux seems to be blocking spire csi driver installation. HOT 2
- Fix lints in host-ctr
- Can't use nvidia GPU since v1.19.1 HOT 4
- Starting or stopping the admin container breaks `nvidia-smi` in one of my running containers HOT 3
- Kubernetes-1.30 package and variants Tracking Issue 🐳
- Intermittent pod attach issues with bottlerocket-aws-k8s-1.24-x86_64-v1.19.3-f097c617 AMI HOT 9
- exec probes such as readiness and liveness probes time out in v1.19.3 HOT 8
- Dogtag Hostname tool
- v1.19.4 💘 Tracking Issue HOT 2
- Upgrading containerd version to 1.7.x HOT 4
- dynamic models crate workaround HOT 1
- How to disable IPv6 DAD to reduce startup delay of pods on IPv6 cluster HOT 6
- consider defaulting the clock source for EC2 instances HOT 1
- OOTB: package builds should not be aware of image features HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bottlerocket.