How to mount HostPath Volume in Kubernetes with SELinux
Expanding on the answer from VAS as it is partially correct:
You can only specify the level portion of an SELinux label when relabeling a path destination pointed to by a hostPath
volume. This is automatically done so by the seLinuxOptions.level
attribute specified in your securityContext
.
However attributes such as seLinuxOptions.type
currently have no effect on volume relabeling. As of this writing, this is still an open issue within Kubernetes
You can assign SELinux labels using seLinuxOptions
:
apiVersion: v1kind: Podmetadata: name: test-pdspec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume securityContext: seLinuxOptions: # it may don’t have the desired effect level: "s0:c123,c456" securityContext: seLinuxOptions: level: "s0:c123,c456" volumes: - name: test-volume hostPath: # directory location on host path: /data # this field is optional type: Directory
According to documentation:
Thanks to Phil for pointing that out. It appears to be working only in Pod.spec.securityContext
according to the issue comment
- seLinuxOptions: Volumes that support SELinux labeling are relabeled to be accessible by the label specified under seLinuxOptions. Usually you only need to set the level section. This sets the Multi-Category Security (MCS) label given to all Containers in the Pod as well as the Volumes.
You could try with full permissions:
... image: k8s.gcr.io/test-webserver securityContext: privileged: true ...