1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| apiVersion: v1
kind: DeploymentConfig
metadata:
name: centos
namespace: monitor
spec:
replicas: 1
template:
metadata:
labels:
busybox: 'true'
spec:
containers:
- args:
image: 'centos:v2'
imagePullPolicy: IfNotPresent
name: busybox
securityContext:
runAsUser: 1000
runAsGroup: 2000 #该特性在k8s 1.10之后才支持,本环境未支持,参见Support for RunAsGroup as a pod security context
volumeMounts:
- mountPath: /centos
name: centos-volume
securityContext: {}
nodeSelector:
kubernetes.io/hostname: test
volumes:
- hostPath:
path: /home/testHostPath
name: centos-volume
serviceAccountName: new-sa
triggers:
- type: ConfigChange
|
host上/home/testHostPath的权限如下:
1
2
| # ls -Z
drwxr-xr-x. root root unconfined_u:object_r:home_root_t:s0 testHostPath
|
进入容器,可以看到该文件夹已经挂载进去,但没有任何操作该文件夹的权限
1
2
3
| sh-4.2$ cd /centos
sh-4.2$ ls
ls: cannot open directory .: Permission denied
|
登陆该容器所在node节点,查看该容器的SELinux设置如下,显然创建的文件夹的SELinux与容器不匹配,将host上文件夹的SELinux设置为与容器相匹配。
1
2
| $ docker inspect c21736278d1a|grep "MountLabel"
"MountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c15,c10",
|
1
2
3
4
5
6
7
8
| $ chcon -Rt svirt_sandbox_file_t /testHostPath
or
$ chcon -R unconfined_u:object_r:svirt_sandbox_file_t:s0 /testHostPath
or
$ semanage fcontext -a -t svirt_sandbox_file_t '/testHostPath(/.*)?'
$ restorecon -Rv /testHostPath
# 确认设置 semanage fcontext -l | grep testHostPath
# 确认文件生效 ls -Z /testHostPath
|
解决完SELinux之后,查看该容器对应进程(docker inspect $CONTAINERID |grep Pid)的信息/proc/$PID/status(具体含义参见/proc/[pid]/status)。可以看到该容器使用的user id为1000,group id为0,supplemental groups为100023000。user id和supplemental groups(Groups)使用了所在project的默认值,group id(含fsgroup)则使用了0。
1
2
3
4
5
6
7
| # cat /proc/23032/status
......
Uid: 1000 1000 1000 1000
Gid: 0 0 0 0
FDSize: 2048
Groups: 1000230000
......
|
参考文章
openshift scc解析
