github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 11:50:44 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #112021 from mrunalp/test_host_path_pv_selinux_fix

Browse Source 
Set correct SELinux label for host paths volumes created by host path provisioner
This commit is contained in:
Kubernetes Prow Robot 2022-12-23 12:35:27 -08:00 committed by GitHub
commit 0b05897c30
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/kubelet/config/defaults.go
View File

@ -28,5 +28,6 @@ const (
DefaultKubeletPluginContainersDirName = "plugin-containers"
DefaultKubeletPodResourcesDirName = "pod-resources"
KubeletPluginsDirSELinuxLabel = "system_u:object_r:container_file_t:s0"
KubeletContainersSharedSELinuxLabel = "system_u:object_r:container_file_t:s0"
DefaultKubeletCheckpointsDirName = "checkpoints"
)

16
pkg/volume/hostpath/host_path.go
View File

@ -21,17 +21,19 @@ import (
"os"
"regexp"
"k8s.io/mount-utils"
"github.com/opencontainers/selinux/go-selinux"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/uuid"
"k8s.io/kubernetes/pkg/kubelet/config"
"k8s.io/kubernetes/pkg/volume"
"k8s.io/kubernetes/pkg/volume/util"
"k8s.io/kubernetes/pkg/volume/util/hostutil"
"k8s.io/kubernetes/pkg/volume/util/recyclerclient"
"k8s.io/kubernetes/pkg/volume/validation"
"k8s.io/mount-utils"
)
// ProbeVolumePlugins is the primary entrypoint for volume plugins.
@ -322,7 +324,17 @@ func (r *hostPathProvisioner) Provision(selectedNode *v1.Node, allowedTopologies
pv.Spec.AccessModes = r.plugin.GetAccessModes()
}
return pv, os.MkdirAll(pv.Spec.HostPath.Path, 0750)
if err := os.MkdirAll(pv.Spec.HostPath.Path, 0750); err != nil {
return nil, err
}
if selinux.GetEnabled() {
err := selinux.SetFileLabel(pv.Spec.HostPath.Path, config.KubeletContainersSharedSELinuxLabel)
if err != nil {
return nil, fmt.Errorf("failed to set selinux label for %q: %v", pv.Spec.HostPath.Path, err)
}
}
return pv, nil
}
// hostPathDeleter deletes a hostPath PV from the cluster.