Sadly, no, the only step you missed was disabling SELinux.
https://github.com/GoogleCloudPlatform/kubernetes/issues/2630
Is where Paul is tracking his work around these problems.
On Fri, 2015-07-17 at 09:50 +0200, Tobias Florek wrote:
> Hi,
>
> using the following atomic host version I can't access secret volumes
>
> from within pods due to an AVC and selinux denying it. Is there some
> setup step that I am missing?
>
> os-version:
> atomic host status:
> 2015-07-15 23:33:20 22.61 db540a53ba fedora-atomic
> i.e.
> kubernetes-0.20.0-0.3.git835eded.fc22.x86_64
> docker-1.7.0-6.git74e7a7a.fc22.x86_64
> selinux-policy-3.13.1-128.4.fc22.noarch
>
>
> The AVC (a little redacted) looks like that
>
> type=AVC msg=audit(1437118925.236:8577): avc: denied { read } for
> pid=16637 comm="fedora" name="key" dev="tmpfs" ino=680330
> scontext=system_u:system_r:svirt_lxc_net_t:s0:c133,c544
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
>
>
> audit2allow recommends (not to)
>
> #============= svirt_lxc_net_t ==============
>
> #!!!! WARNING: 'var_lib_t' is a base type.
> allow svirt_lxc_net_t var_lib_t:file read;
>
>
> see the following example to replicate the behavior.
>
> sample replication controller:
>
> apiVersion: v1
> kind: ReplicationController
> metadata:
> labels:
> name: test
> name: test
> spec:
> replicas: 1
> selector:
> name: test
> template:
> metadata:
> labels:
> name: test
> spec:
> containers:
> - args:
> - /bin/bash
> - "-c"
> - "whoami; ls -hlR /config; getfacl /config; getfacl
> /config/key; cat /config/key"
> image: fedora
> name: test
> volumeMounts:
> - mountPath: /config
> name: config
> readOnly: true
> volumes:
> - name: config
> secret:
> secretName: test
>
>
> and the following secret
>
> apiVersion: v1
> kind: Secret
> metadata:
> name: test
> type: Opaque
> data:
> key: dmFsdWUtMg0K
>
>
> Cheers,
> Tobias Florek
>
> PS: unfortunately I will be gone for 10 days and will not be able to
> answer before.
>
