时间戳

首页 > 解决方案 > 访问 hostPath 的自定义 SCC 在 pod 上引发权限被拒绝

openshift - 访问 hostPath 的自定义 SCC 在 pod 上引发权限被拒绝

问题描述

我使用openshift 4.7并拥有这个自定义SCC(目标是对主机节点中的某些目录具有只读访问权限):

allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
apiVersion: security.openshift.io/v1
fsGroup:
  type: RunAsAny
groups:
- system:cluster-admins
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: 'test scc'
  name: test-access
priority: 15
readOnlyRootFilesystem: true
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
supplementalGroups:
  type: RunAsAny
volumes:
- 'hostPath'
- 'secret'

这是我的部署:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ubuntu-test
  namespace: ubuntu-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ubuntu-test
  template:
    metadata:
      labels:
        app: ubuntu-test
    spec:
      serviceAccountName: ubuntu-test
      containers:
      - name: ubuntu-test
        image: ubuntu:latest
        command: [ "/bin/bash", "-c", "--" ]
        args: [ "while true; do sleep 30; done;" ]
        resources:
          limits:
            cpu: 100m
            memory: 256Mi
        
        volumeMounts:
          - name: docker
            readOnly: true
            mountPath: /var/lib/docker/containers
          - name: containers
            readOnly: true
            mountPath: /var/log/containers
          - name: pods
            readOnly: true
            mountPath: /var/log/pods
      volumes:
        - name: docker
          hostPath:
            path: /var/lib/docker/containers
            type: ''
        - name: containers
          hostPath:
            path: /var/log/containers
            type: ''
        - name: pods
          hostPath:
            path: /var/log/pods
            type: ''

但是当我rsh到容器时,我看不到已安装的hostPath

root@ubuntu-test-6b4fcb5bd7-fnc6f:/# ls /var/log/pods
ls: cannot open directory '/var/log/pods': Permission denied

当我检查权限时,一切似乎都很好:

drwxr-xr-x. 44 root root   8192 Oct 12 14:30 pods

标签: openshift

解决方案

推荐阅读