# Error: failed to start container: failed to create containerd task: mount /var/lib/kubelet/pods/.../volumes/...: operation not permitted

- **ID:** `kubernetes/volume-mount-readonly-filesystem`
- **Domain:** kubernetes
- **Category:** system_error
- **Verification:** ai_generated
- **Fix Rate:** 85%

## Root Cause

Container runtime (containerd) cannot mount a volume because the underlying filesystem is read-only or the mount point is invalid, often due to SELinux enforcement or AppArmor profile.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Kubernetes 1.28 | active | — | — |
| Kubernetes 1.29 | active | — | — |
| containerd 1.7.0 | active | — | — |
| Ubuntu 22.04 | active | — | — |

## Workarounds

1. **Check SELinux status: `getenforce`. If enforcing, temporarily set to permissive: `setenforce 0`. Then verify mount succeeds. For persistent fix, adjust SELinux policy: `semanage fcontext -a -t container_file_t '/var/lib/kubelet/pods/.*/volumes/.*(/.*)?'`.** (90% success)
   ```
   Check SELinux status: `getenforce`. If enforcing, temporarily set to permissive: `setenforce 0`. Then verify mount succeeds. For persistent fix, adjust SELinux policy: `semanage fcontext -a -t container_file_t '/var/lib/kubelet/pods/.*/volumes/.*(/.*)?'`.
   ```
2. **Check AppArmor status: `aa-status`. If a profile is blocking, unload it: `aa-remove-unknown` or create a custom profile allowing mount operations.** (80% success)
   ```
   Check AppArmor status: `aa-status`. If a profile is blocking, unload it: `aa-remove-unknown` or create a custom profile allowing mount operations.
   ```

## Dead Ends

- **** — Restarting kubelet or containerd doesn't fix the underlying filesystem or SELinux issue; mounts will still fail. (70% fail)
- **** — Re-creating the pod without fixing SELinux context or AppArmor profile results in the same mount error. (80% fail)