MinIO Blog

SELinux configurations for Private OpenShift deployments

AJ AJ on Red Hat OpenShift |
SELinux configurations for Private OpenShift deployments
Share: Linkedin X (Twitter) Reddit Copy Article Link Email Article
Follow: LinkedIn X Reddit

OpenShift is the de facto Kubernetes manager that gets deployed in a private cloud. Because of its ease of use and setup, it is often the go to choice for organizations running in a private cloud. AIStor supports OpenShift in all facets from install, to configurations to updates and everything in between. Here we will show you how to configure SELinux 

Overview

SELinux will try to tag all files in the filesystem, causing the pod start to be delayed until all files are tagged, often when the PVC has a bigger amount of fies this will cause a timeout and the minio container will not even start.

Example tag with SecurityContextConstraint (SCC) restricted:

system_u:object_r:container_file_t:s0:c19,c27

Current Behavior

  1. AIStor pod can't start, hanging with CreateContainerError
  2. In pod events shows an Error: context deadline exceeded event
  3. Logging into the host machine, an event (journalctl -u crio -f) can be read as follows:

Creation of container k8s_minio_production-pool-1-3_production_1678f3c3-db33-4d76-87e9-e549451d5853_1 is not yet finished. Currently at stage container volume configuration.

Possible solutions

Some options to overcome this problem are presented

Skip SELinux Relabeling if already done with an annotation

This is my favourite, safer and the right way (IMHO) even if more "complex" , this consists of 3 steps :

  • Create a custom runtime

apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: selinux
handler: selinux
Config crio-o via MachineConfig to recognize the label o.kubernetes.cri-o.TrySkipVolumeSELinuxLabel
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker # make sure to create another machineconfig for role master if you are running minio pods as well in master nodes
  name: 99-master-selinux-configuration
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - contents:
            source: data:text/plain;charset=utf-8;base64,W2NyaW8ucnVudGltZS5ydW50aW1lcy5zZWxpbnV4XQpydW50aW1lX3BhdGggPSAiL3Vzci9iaW4vcnVuYyIKcnVudGltZV9yb290ID0gIi9ydW4vcnVuYyIKcnVudGltZV90eXBlID0gIm9jaSIKYWxsb3dlZF9hbm5vdGF0aW9ucyA9IFsiaW8ua3ViZXJuZXRlcy5jcmktby5UcnlTa2lwVm9sdW1lU0VMaW51eExhYmVsIl0K
          mode: 0640
          overwrite: true
          path: /etc/crio/crio.conf.d/01-selinux.conf
  osImageURL: ""
add pool annotation o.kubernetes.cri-o.TrySkipVolumeSELinuxLabel and runtimeClassName: selinux
spec:
  pools:
   - name: pool-0
    runtimeClassName: selinux
    annotations:
      io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel: "true"

Manual Skip SELinux Relabeling with spc_t

This effectively elevates privileges of the pods (unsafe), to apply this option:

  • Create an Openshift SecurityContextConsraint (scc) that allows spc_t,
  • Add the new scc to the pod

securityContext:
    seLinuxOptions:
      type: "spc_t"

Semi - Automatic Skip SELinux Relabeling with spc_t (OCP Version 4.13+)

If you would like to setup using a semi-automated setup, more information is documented in this RedHat Knowledge base.

Conclusion

SELinux security is usually set up in large organizations to be PCI/SOC compliant. It's essential for all applications to work with SELinux enabled. In this overview we’ve showed you the different ways AIStor can be configured with OpenShift to be as secure as possible on a Linux machine.

Feel free to try this out yourself and if there are any questions be sure to reach out to us at hello@min.io.