selinux permission denied, change mv to cp to maintain file context #2080
Conversation
| @@ -196,7 +196,7 @@ if [[ "$ENABLE_BANDWIDTH_PLUGIN" == "true" ]]; then | |||
| mv "$TMP_AWS_BW_CONFLIST_FILE" "$TMP_AWS_CONFLIST_FILE" | |||
| fi | |||
|
|
|||
| mv "$TMP_AWS_CONFLIST_FILE" "$HOST_CNI_CONFDIR_PATH/10-aws.conflist" | |||
| cp "$TMP_AWS_CONFLIST_FILE" "$HOST_CNI_CONFDIR_PATH/10-aws.conflist" && rm -rf "$TMP_AWS_CONFLIST_FILE" | |||
There was a problem hiding this comment.
Can you please a comment here explaining why we need to do this for SELinux? That way, folks looking at this later on wont optimize cp && rm for a mv and break SELinux
|
looks like this solutions unblocks the crashloop problem but issue still persists. Even though the pods get restarted fine, the file /host/etc/cni/net.d/10-aws.conflist never gets replaced. Logs are something like this: |
What type of PR is this?
bug
Which issue does this PR fix:
#2079
What does this PR do / Why do we need it:
This fixes the permissions issue experienced when SELinux enforcing mode is enabled. Entrypoint.sh script uses mv command(link) to write to host file system. When the aws-node container is killed or restarted it tries to write to the same file while has a different context(from the old container) and its not allowed by policies in SeLinux. To make it work with SeLinux, changing the mv command to cp works as cp maintains the context of file while writing.
Testing done on this change:
Unit testing
Tested with custom container image for amazon-k8s-cni
Automation added to e2e:
Will this PR introduce any new dependencies?:
Will this break upgrades or downgrades. Has updating a running cluster been tested?:
Does this change require updates to the CNI daemonset config files to work?:
Does this PR introduce any user-facing change?:
No
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.