From 65e693eccbc97192c7c96b88b4b446a3ed5f5efc Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Wed, 24 Aug 2022 17:57:47 -0700 Subject: [PATCH] Set correct SELinux label for host paths volumes created by host path provisioner These host paths have a well known location under /tmp/hostpath_pv and are therefore safe to be labeled with the shared SELinux label. Without this label, the mounted volumes cannot be accessed by the container processes. Signed-off-by: Mrunal Patel --- pkg/kubelet/config/defaults.go | 1 + pkg/volume/hostpath/host_path.go | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/pkg/kubelet/config/defaults.go b/pkg/kubelet/config/defaults.go index b438e0d25d5..effee19e6e9 100644 --- a/pkg/kubelet/config/defaults.go +++ b/pkg/kubelet/config/defaults.go @@ -28,5 +28,6 @@ const ( DefaultKubeletPluginContainersDirName = "plugin-containers" DefaultKubeletPodResourcesDirName = "pod-resources" KubeletPluginsDirSELinuxLabel = "system_u:object_r:container_file_t:s0" + KubeletContainersSharedSELinuxLabel = "system_u:object_r:container_file_t:s0" DefaultKubeletCheckpointsDirName = "checkpoints" ) diff --git a/pkg/volume/hostpath/host_path.go b/pkg/volume/hostpath/host_path.go index c6f5b4c779c..b520c26b258 100644 --- a/pkg/volume/hostpath/host_path.go +++ b/pkg/volume/hostpath/host_path.go @@ -21,17 +21,19 @@ import ( "os" "regexp" - "k8s.io/mount-utils" + "github.com/opencontainers/selinux/go-selinux" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/uuid" + "k8s.io/kubernetes/pkg/kubelet/config" "k8s.io/kubernetes/pkg/volume" "k8s.io/kubernetes/pkg/volume/util" "k8s.io/kubernetes/pkg/volume/util/hostutil" "k8s.io/kubernetes/pkg/volume/util/recyclerclient" "k8s.io/kubernetes/pkg/volume/validation" + "k8s.io/mount-utils" ) // ProbeVolumePlugins is the primary entrypoint for volume plugins. @@ -320,7 +322,17 @@ func (r *hostPathProvisioner) Provision(selectedNode *v1.Node, allowedTopologies pv.Spec.AccessModes = r.plugin.GetAccessModes() } - return pv, os.MkdirAll(pv.Spec.HostPath.Path, 0750) + if err := os.MkdirAll(pv.Spec.HostPath.Path, 0750); err != nil { + return nil, err + } + if selinux.GetEnabled() { + err := selinux.SetFileLabel(pv.Spec.HostPath.Path, config.KubeletContainersSharedSELinuxLabel) + if err != nil { + return nil, fmt.Errorf("failed to set selinux label for %q: %v", pv.Spec.HostPath.Path, err) + } + } + + return pv, nil } // hostPathDeleter deletes a hostPath PV from the cluster.