diff --git a/pkg/kubelet/volumemanager/cache/actual_state_of_world.go b/pkg/kubelet/volumemanager/cache/actual_state_of_world.go index 831324813de..ecc1d23a603 100644 --- a/pkg/kubelet/volumemanager/cache/actual_state_of_world.go +++ b/pkg/kubelet/volumemanager/cache/actual_state_of_world.go @@ -817,15 +817,11 @@ func (asw *actualStateOfWorld) PodExistsInVolume(podName volumetypes.UniquePodNa return false, "", newVolumeNotAttachedError(volumeName) } + // The volume exists, check its SELinux context mount option if utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) { - if volumeObj.seLinuxMountContext != nil { - // The volume is mounted, check its SELinux context mount option - if *volumeObj.seLinuxMountContext != seLinuxLabel { - fullErr := newSELinuxMountMismatchError(volumeName) - if util.VolumeSupportsSELinuxMount(volumeObj.spec) { - return false, volumeObj.devicePath, fullErr - } - } + if volumeObj.seLinuxMountContext != nil && *volumeObj.seLinuxMountContext != seLinuxLabel { + fullErr := newSELinuxMountMismatchError(volumeName) + return false, volumeObj.devicePath, fullErr } } diff --git a/pkg/kubelet/volumemanager/cache/actual_state_of_world_test.go b/pkg/kubelet/volumemanager/cache/actual_state_of_world_test.go index fd4be85f0df..e69018c4d1c 100644 --- a/pkg/kubelet/volumemanager/cache/actual_state_of_world_test.go +++ b/pkg/kubelet/volumemanager/cache/actual_state_of_world_test.go @@ -892,7 +892,8 @@ func Test_AddPodToVolume_Positive_SELinux(t *testing.T) { verifyVolumeExistsAswWithSELinux(t, generatedVolumeName, "system_u:object_r:container_file_t:s0:c0,c1", asw) verifyVolumeDoesntExistInUnmountedVolumes(t, generatedVolumeName, asw) verifyVolumeDoesntExistInGloballyMountedVolumes(t, generatedVolumeName, asw) - verifyPodExistsInVolumeAsw(t, podName, generatedVolumeName, "fake/device/path" /* expectedDevicePath */, asw) + verifyPodExistsInVolumeAswWithSELinux(t, podName, generatedVolumeName, "fake/device/path" /* expectedDevicePath */, "system_u:object_r:container_file_t:s0:c0,c1", asw) + verifyPodExistsInVolumeSELinuxMismatch(t, podName, generatedVolumeName, "" /* wrong SELinux label */, asw) verifyVolumeExistsWithSpecNameInVolumeAsw(t, podName, volumeSpec.Name(), asw) verifyVolumeMountedElsewhere(t, podName, generatedVolumeName, false /*expectedMountedElsewhere */, asw) } @@ -1154,8 +1155,18 @@ func verifyPodExistsInVolumeAsw( expectedVolumeName v1.UniqueVolumeName, expectedDevicePath string, asw ActualStateOfWorld) { + verifyPodExistsInVolumeAswWithSELinux(t, expectedPodName, expectedVolumeName, expectedDevicePath, "", asw) +} + +func verifyPodExistsInVolumeAswWithSELinux( + t *testing.T, + expectedPodName volumetypes.UniquePodName, + expectedVolumeName v1.UniqueVolumeName, + expectedDevicePath string, + expectedSELinuxLabel string, + asw ActualStateOfWorld) { podExistsInVolume, devicePath, err := - asw.PodExistsInVolume(expectedPodName, expectedVolumeName, resource.Quantity{}, "") + asw.PodExistsInVolume(expectedPodName, expectedVolumeName, resource.Quantity{}, expectedSELinuxLabel) if err != nil { t.Fatalf( "ASW PodExistsInVolume failed. Expected: Actual: <%v>", err) @@ -1221,6 +1232,26 @@ func verifyPodDoesntExistInVolumeAsw( } } +func verifyPodExistsInVolumeSELinuxMismatch( + t *testing.T, + podToCheck volumetypes.UniquePodName, + volumeToCheck v1.UniqueVolumeName, + unexpectedSELinuxLabel string, + asw ActualStateOfWorld) { + + podExistsInVolume, _, err := asw.PodExistsInVolume(podToCheck, volumeToCheck, resource.Quantity{}, unexpectedSELinuxLabel) + if podExistsInVolume { + t.Errorf("expected Pod %s not to exists, but it does", podToCheck) + } + if err == nil { + t.Error("expected PodExistsInVolume to return error, but it returned nil") + } + + if !IsSELinuxMountMismatchError(err) { + t.Errorf("expected PodExistsInVolume to return SELinuxMountMismatchError, got %s", err) + } +} + func verifyVolumeExistsWithSpecNameInVolumeAsw( t *testing.T, expectedPodName volumetypes.UniquePodName,