Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix SELinux label of bootstrap-secrets on non-bootstrapping controllers #808

Merged
merged 4 commits into from
Aug 20, 2020

Conversation

beyondbill
Copy link
Contributor

@beyondbill beyondbill commented Aug 18, 2020

There's already a merged PR addressing the same problem on the controller that runs bootstrap service. However, on other controllers, Docker pods kube-apiserver, kube-scheduler, and kube-controller-manager still cannot read files from /etc/kubernetes/bootstrap-secrets (on host) due to the wrong SELinux file label (specifically user field).

On the controller that has run bootstrap service:

[root@ip-10-20-139-198 ~]$ ls -alZ /etc/kubernetes
total 16
drwxr-xr-x.  5 root root system_u:object_r:container_file_t:s0   91 Aug 18 03:16 .
drwxr-xr-x. 80 root root system_u:object_r:etc_t:s0            4096 Aug 18 03:13 ..
drwxr-xr-x.  2 root root system_u:object_r:container_file_t:s0  220 Aug 18 03:16 bootstrap-secrets
-rw-r--r--.  1 root root system_u:object_r:container_file_t:s0 1147 Aug 18 03:13 ca.crt
drwxr-xr-x.  3 root root system_u:object_r:container_file_t:s0   19 Aug 18 03:12 cni
-rw-r--r--.  1 root root system_u:object_r:container_file_t:s0 1815 Aug 18 03:11 kubeconfig
drwxr-xr-x.  2 root root system_u:object_r:container_file_t:s0   96 Aug 18 03:16 manifests

On the controllers that don't run bootstrap service:

[root@ip-10-20-144-57 scoop-ops]# ls -alZ /etc/kubernetes
total 16
drwxr-xr-x.  5 root root system_u:object_r:container_file_t:s0       91 Aug 18 03:16 .
drwxr-xr-x. 80 root root system_u:object_r:etc_t:s0                4096 Aug 18 03:13 ..
drwxr-xr-x.  2 root root unconfined_u:object_r:container_file_t:s0  220 Aug 18 03:16 bootstrap-secrets
-rw-r--r--.  1 root root system_u:object_r:container_file_t:s0     1147 Aug 18 03:13 ca.crt
drwxr-xr-x.  3 root root system_u:object_r:container_file_t:s0       19 Aug 18 03:13 cni
-rw-r--r--.  1 root root system_u:object_r:container_file_t:s0     1815 Aug 18 03:11 kubeconfig
drwxr-xr-x.  2 root root system_u:object_r:container_file_t:s0       96 Aug 18 03:16 manifests

See the difference in user field (system_u vs unconfined_u). This PR updates the user field to system_u on all controllers. On aws/fedora-coreos, I've verified this fixes all the permission denials on files under /etc/kubernetes/secrets (container) from kube-apiserver, kube-scheduler, and kube-controller-manager containers.

CHANGES.md Outdated
@@ -33,6 +33,8 @@ Notable changes between versions.

### Fedora CoreOS

* Fix SELinux label of bootstrap-secrets on non-bootstrapping controllers ([#808](https://github.com/poseidon/typhoon/pull/808))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you move to latest, this section is for v1.18.8

Copy link
Contributor Author

@beyondbill beyondbill Aug 19, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dghubble I thought v1.18.8 is on the same level with Fedora CoreOS since they are both prefixed with ###. It turns out that v1.18.8 should be prefixed with ##

@beyondbill
Copy link
Contributor Author

beyondbill commented Aug 20, 2020

I realized I only tested on v1.18.6. So I launched another testing cluster on v1.18.8 and found additional type label needs to be fixed as well.

[scoop-ops@ip-10-20-139-173 ~]$ ls -alZ /etc/kubernetes/bootstrap-secrets
total 44
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0  220 Aug 20 00:18 .
drwxr-xr-x. 5 root root system_u:object_r:container_file_t:s0   91 Aug 20 00:18 ..
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0 1408 Aug 20 00:17 apiserver.crt
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0 1680 Aug 20 00:17 apiserver.key
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0 1148 Aug 20 00:17 ca.crt
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0 1680 Aug 20 00:17 ca.key
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0 1120 Aug 20 00:17 etcd-client-ca.crt
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0 1331 Aug 20 00:17 etcd-client.crt
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0 1680 Aug 20 00:17 etcd-client.key
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0 5774 Aug 20 00:17 kubeconfig
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0 1676 Aug 20 00:17 service-account.key
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0  451 Aug 20 00:17 service-account.pub

On the controllers that don't run bootstrap service:

[scoop-ops@ip-10-20-146-19 ~]$ ls -alZ /etc/kubernetes/bootstrap-secrets
total 44
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0  220 Aug 20 00:14 .
drwxr-xr-x. 5 root root system_u:object_r:container_file_t:s0   91 Aug 20 00:14 ..
-rw-r--r--. 1 root root system_u:object_r:user_home_t:s0      1408 Aug 20 00:14 apiserver.crt
-rw-r--r--. 1 root root system_u:object_r:user_home_t:s0      1680 Aug 20 00:14 apiserver.key
-rw-r--r--. 1 root root system_u:object_r:user_home_t:s0      1148 Aug 20 00:14 ca.crt
-rw-r--r--. 1 root root system_u:object_r:user_home_t:s0      1680 Aug 20 00:14 ca.key
-rw-r--r--. 1 root root system_u:object_r:user_home_t:s0      1120 Aug 20 00:14 etcd-client-ca.crt
-rw-r--r--. 1 root root system_u:object_r:user_home_t:s0      1331 Aug 20 00:14 etcd-client.crt
-rw-r--r--. 1 root root system_u:object_r:user_home_t:s0      1680 Aug 20 00:14 etcd-client.key
-rw-r--r--. 1 root root system_u:object_r:user_home_t:s0      5774 Aug 20 00:14 kubeconfig
-rw-r--r--. 1 root root system_u:object_r:user_home_t:s0      1676 Aug 20 00:14 service-account.key
-rw-r--r--. 1 root root system_u:object_r:user_home_t:s0       451 Aug 20 00:14 service-account.pub

This has been fixed in the latest commit.

@beyondbill beyondbill requested a review from dghubble August 20, 2020 02:51
@dghubble
Copy link
Member

This is similar to the race in #708, but more limited. The label has a chance of appearing on non-bootstrap controllers in multi-controller clusters on the first boot from disk. Its also resolved on any restart of the kubelet.service (service, reboot, auto-update) for the duration of a cluster lifecycle. The randomness of appearance stems from the same race with the first kubelet start.

Manually setting the context like this should eliminate its chance of happening during this window. Thanks

@dghubble dghubble merged commit aafa384 into poseidon:master Aug 20, 2020
Snaipe pushed a commit to aristanetworks/monsoon that referenced this pull request Apr 13, 2023
…roller (poseidon#808)

* Fix race condition for bootstrap-secrets SELinux context on non-bootstrap controllers in multi-controller FCOS clusters
* On first boot from disk on non-bootstrap controllers, adding bootstrap-secrets races with kubelet.service starting, which can cause the secrets assets to have the wrong label until kubelet.service restarts (service, reboot, auto-update)
* This can manifest as `kube-apiserver`, `kube-controller-manager`, and `kube-scheduler` pods crashlooping on spare controllers on first cluster creation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants