diff --git a/pkg/volume/csi/csi_mounter_test.go b/pkg/volume/csi/csi_mounter_test.go index b1787266202..c260302ae0b 100644 --- a/pkg/volume/csi/csi_mounter_test.go +++ b/pkg/volume/csi/csi_mounter_test.go @@ -107,10 +107,13 @@ func TestMounterGetPath(t *testing.T) { func TestMounterSetUp(t *testing.T) { tests := []struct { - name string - driver string - volumeContext map[string]string - expectedVolumeContext map[string]string + name string + driver string + volumeContext map[string]string + seLinuxLabel string + enableSELinuxFeatureGate bool + expectedSELinuxContext string + expectedVolumeContext map[string]string }{ { name: "no pod info", @@ -154,12 +157,39 @@ func TestMounterSetUp(t *testing.T) { volumeContext: nil, expectedVolumeContext: map[string]string{"csi.storage.k8s.io/pod.uid": "test-pod", "csi.storage.k8s.io/serviceAccount.name": "test-service-account", "csi.storage.k8s.io/pod.name": "test-pod", "csi.storage.k8s.io/pod.namespace": "test-ns", "csi.storage.k8s.io/ephemeral": "false"}, }, + { + name: "should include SELinux mount options, if feature-gate is enabled and driver supports it", + driver: "supports_selinux", + volumeContext: nil, + seLinuxLabel: "s0,c0", + expectedSELinuxContext: "context=\"s0,c0\"", + enableSELinuxFeatureGate: true, + expectedVolumeContext: nil, + }, + { + name: "should not include selinux mount options, if feature gate is enabled but driver does not support it", + driver: "no_selinux", + seLinuxLabel: "s0,c0", + volumeContext: nil, + enableSELinuxFeatureGate: true, + expectedVolumeContext: nil, + }, + { + name: "should not include selinux mount option, if feature gate is enabled but CSIDriver does not exist", + driver: "not_found_selinux", + seLinuxLabel: "s0,c0", + volumeContext: nil, + enableSELinuxFeatureGate: true, + expectedVolumeContext: nil, + }, } noPodMountInfo := false currentPodInfoMount := true for _, test := range tests { t.Run(test.name, func(t *testing.T) { + defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, test.enableSELinuxFeatureGate)() + modes := []storage.VolumeLifecycleMode{ storage.VolumeLifecyclePersistent, } @@ -167,6 +197,8 @@ func TestMounterSetUp(t *testing.T) { getTestCSIDriver("no-info", &noPodMountInfo, nil, modes), getTestCSIDriver("info", ¤tPodInfoMount, nil, modes), getTestCSIDriver("nil", nil, nil, modes), + getTestCSIDriver("supports_selinux", &noPodMountInfo, nil, modes), + getTestCSIDriver("no_selinux", &noPodMountInfo, nil, modes), ) plug, tmpDir := newTestPlugin(t, fakeClient) defer os.RemoveAll(tmpDir) @@ -226,10 +258,20 @@ func TestMounterSetUp(t *testing.T) { var mounterArgs volume.MounterArgs fsGroup := int64(2000) mounterArgs.FsGroup = &fsGroup + + if test.seLinuxLabel != "" { + mounterArgs.SELinuxLabel = test.seLinuxLabel + } + + expectedMountOptions := pv.Spec.MountOptions + + if test.expectedSELinuxContext != "" { + expectedMountOptions = append(expectedMountOptions, test.expectedSELinuxContext) + } + if err := csiMounter.SetUp(mounterArgs); err != nil { t.Fatalf("mounter.Setup failed: %v", err) } - //Test the default value of file system type is not overridden if len(csiMounter.spec.PersistentVolume.Spec.CSI.FSType) != 0 { t.Errorf("default value of file system type was overridden by type %s", csiMounter.spec.PersistentVolume.Spec.CSI.FSType) @@ -253,8 +295,8 @@ func TestMounterSetUp(t *testing.T) { if vol.Path != csiMounter.GetPath() { t.Errorf("csi server expected path %s, got %s", csiMounter.GetPath(), vol.Path) } - if !reflect.DeepEqual(vol.MountFlags, pv.Spec.MountOptions) { - t.Errorf("csi server expected mount options %v, got %v", pv.Spec.MountOptions, vol.MountFlags) + if !reflect.DeepEqual(vol.MountFlags, expectedMountOptions) { + t.Errorf("csi server expected mount options %v, got %v", expectedMountOptions, vol.MountFlags) } if !reflect.DeepEqual(vol.VolumeContext, test.expectedVolumeContext) { t.Errorf("csi server expected volumeContext %+v, got %+v", test.expectedVolumeContext, vol.VolumeContext) diff --git a/pkg/volume/csi/csi_plugin.go b/pkg/volume/csi/csi_plugin.go index 39cc13ca7cf..efe48cfb73b 100644 --- a/pkg/volume/csi/csi_plugin.go +++ b/pkg/volume/csi/csi_plugin.go @@ -579,6 +579,9 @@ func (p *csiPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) } csiDriver, err := p.getCSIDriver(driver) if err != nil { + if apierrors.IsNotFound(err) { + return false, nil + } return false, err } if csiDriver.Spec.SELinuxMount != nil { diff --git a/pkg/volume/csi/csi_util_test.go b/pkg/volume/csi/csi_util_test.go index f287ce19623..4450c268161 100644 --- a/pkg/volume/csi/csi_util_test.go +++ b/pkg/volume/csi/csi_util_test.go @@ -87,7 +87,9 @@ func makeTestVol(name string, driverName string) *api.Volume { func getTestCSIDriver(name string, podInfoMount *bool, attachable *bool, volumeLifecycleModes []storagev1.VolumeLifecycleMode) *storagev1.CSIDriver { defaultFSGroupPolicy := storagev1.ReadWriteOnceWithFSTypeFSGroupPolicy - return &storagev1.CSIDriver{ + seLinuxMountSupport := true + noSElinuxMountSupport := false + driver := &storagev1.CSIDriver{ ObjectMeta: meta.ObjectMeta{ Name: name, }, @@ -98,6 +100,13 @@ func getTestCSIDriver(name string, podInfoMount *bool, attachable *bool, volumeL FSGroupPolicy: &defaultFSGroupPolicy, }, } + switch driver.Name { + case "supports_selinux": + driver.Spec.SELinuxMount = &seLinuxMountSupport + case "no_selinux": + driver.Spec.SELinuxMount = &noSElinuxMountSupport + } + return driver } func TestSaveVolumeData(t *testing.T) {