From 08d08f995e9896a966ec1114502ce634f35e9480 Mon Sep 17 00:00:00 2001 From: Federico Rizzo Date: Fri, 15 Apr 2022 21:51:30 +0000 Subject: [PATCH 1/2] Correct play kube docs for selinux labeling Signed-off-by: Federico Rizzo --- docs/source/markdown/podman-play-kube.1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/markdown/podman-play-kube.1.md b/docs/source/markdown/podman-play-kube.1.md index ad3bd421d4..b959f6dd97 100644 --- a/docs/source/markdown/podman-play-kube.1.md +++ b/docs/source/markdown/podman-play-kube.1.md @@ -24,7 +24,7 @@ Only two volume types are supported by play kube, the *hostPath* and *persistent Note: When playing a kube YAML with init containers, the init container will be created with init type value `always`. -Note: *hostPath* volume types created by play kube will be given an SELinux private label (Z) +Note: *hostPath* volume types created by play kube will be given an SELinux shared label (z), bind mounts are not relabeled (use `chcon -t container_file_t -R `). Note: If the `:latest` tag is used, Podman will attempt to pull the image from a registry. If the image was built locally with Podman or Buildah, it will have `localhost` as the domain, in that case, Podman will use the image from the local store even if it has the `:latest` tag. From e716790af9e81f8eae528e589379860d1cc60bf9 Mon Sep 17 00:00:00 2001 From: Federico Rizzo Date: Fri, 15 Apr 2022 21:51:30 +0000 Subject: [PATCH 2/2] Fix typo in generate kube docs for selinux labeling Signed-off-by: Federico Rizzo --- docs/source/markdown/podman-generate-kube.1.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/source/markdown/podman-generate-kube.1.md b/docs/source/markdown/podman-generate-kube.1.md index 8cd35140e2..cbb875f603 100644 --- a/docs/source/markdown/podman-generate-kube.1.md +++ b/docs/source/markdown/podman-generate-kube.1.md @@ -22,7 +22,8 @@ Init containers created with type `always` will always be generated in the kube *Note*: When using volumes and generating a Kubernetes YAML for an unprivileged and rootless podman container on an **SELinux enabled system**, one of the following options must be completed: * Add the "privileged: true" option to the pod spec * Add `type: spc_t` under the `securityContext` `seLinuxOptions` in the pod spec - * Relabel the volume via the CLI command `chcon -t container_file_t context -R ` + * Relabel the volume via the CLI command `chcon -t container_file_t -R ` + Once completed, the correct permissions will be in place to access the volume when the pod/container is created in a Kubernetes cluster. Note that the generated Kubernetes YAML file can be used to re-run the deployment via podman-play-kube(1).