Merge pull request #113321 from jsafrane/selinux-all-plugins

Add SELinux mount support to all volume plugins
2025-07-20 18:31:15 +00:00 · 2022-10-31 13:14:44 -07:00 · 2022-10-31 13:14:44 -07:00 · 373a78feab
commit 373a78feab
parent 4a3bac5eae 63ab1c86e7
4 changed files with 35 additions and 14 deletions
--- a/pkg/volume/fc/attacher.go
+++ b/pkg/volume/fc/attacher.go
@ -94,7 +94,7 @@ func (attacher *fcAttacher) GetDeviceMountPath(
 	return attacher.manager.MakeGlobalPDName(*mounter.fcDisk), nil
 }

-func (attacher *fcAttacher) MountDevice(spec *volume.Spec, devicePath string, deviceMountPath string, _ volume.DeviceMounterArgs) error {
+func (attacher *fcAttacher) MountDevice(spec *volume.Spec, devicePath string, deviceMountPath string, mountArgs volume.DeviceMounterArgs) error {
 	mounter := attacher.host.GetMounter(fcPluginName)
 	notMnt, err := mounter.IsLikelyNotMountPoint(deviceMountPath)
 	if err != nil {
@ -117,6 +117,9 @@ func (attacher *fcAttacher) MountDevice(spec *volume.Spec, devicePath string, de
 	if readOnly {
 		options = append(options, "ro")
 	}
+	if mountArgs.SELinuxLabel != "" {
+		options = volumeutil.AddSELinuxMountOption(options, mountArgs.SELinuxLabel)
+	}
 	if notMnt {
 		diskMounter := &mount.SafeFormatAndMount{Interface: mounter, Exec: attacher.host.GetExec(fcPluginName)}
 		mountOptions := volumeutil.MountOptionFromSpec(spec, options...)
--- a/pkg/volume/fc/fc.go
+++ b/pkg/volume/fc/fc.go
@ -23,7 +23,9 @@ import (
 	"strconv"
 	"strings"

+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/klog/v2"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/mount-utils"
 	utilexec "k8s.io/utils/exec"
 	"k8s.io/utils/io"
@ -100,7 +102,7 @@ func (plugin *fcPlugin) SupportsBulkVolumeVerification() bool {
 }

 func (plugin *fcPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
-	return false, nil
+	return true, nil
 }

 func (plugin *fcPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode {
@ -364,6 +366,7 @@ type fcDiskMounter struct {
 	mounter                   *mount.SafeFormatAndMount
 	deviceUtil                util.DeviceUtil
 	mountOptions              []string
+	mountedWithSELinuxContext bool
 }

 var _ volume.Mounter = &fcDiskMounter{}
@ -372,7 +375,7 @@ func (b *fcDiskMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       b.readOnly,
 		Managed:        !b.readOnly,
-		SELinuxRelabel: true,
+		SELinuxRelabel: !b.mountedWithSELinuxContext,
 	}
 }

@ -386,6 +389,11 @@ func (b *fcDiskMounter) SetUpAt(dir string, mounterArgs volume.MounterArgs) erro
 	if err != nil {
 		klog.Errorf("fc: failed to setup")
 	}
+
+	if utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
+		// The volume must have been mounted in MountDevice with -o context.
+		b.mountedWithSELinuxContext = mounterArgs.SELinuxLabel != ""
+	}
 	return err
 }

--- a/pkg/volume/rbd/attacher.go
+++ b/pkg/volume/rbd/attacher.go
@ -146,7 +146,7 @@ func (attacher *rbdAttacher) GetDeviceMountPath(spec *volume.Spec) (string, erro
 // MountDevice implements Attacher.MountDevice. It is called by the kubelet to
 // mount device at the given mount path.
 // This method is idempotent, callers are responsible for retrying on failure.
-func (attacher *rbdAttacher) MountDevice(spec *volume.Spec, devicePath string, deviceMountPath string, _ volume.DeviceMounterArgs) error {
+func (attacher *rbdAttacher) MountDevice(spec *volume.Spec, devicePath string, deviceMountPath string, mountArgs volume.DeviceMounterArgs) error {
 	klog.V(4).Infof("rbd: mouting device %s to %s", devicePath, deviceMountPath)
 	notMnt, err := attacher.mounter.IsLikelyNotMountPoint(deviceMountPath)
 	if err != nil {
@ -174,7 +174,11 @@ func (attacher *rbdAttacher) MountDevice(spec *volume.Spec, devicePath string, d
 	if ro {
 		options = append(options, "ro")
 	}
+	if mountArgs.SELinuxLabel != "" {
+		options = volutil.AddSELinuxMountOption(options, mountArgs.SELinuxLabel)
+	}
 	mountOptions := volutil.MountOptionFromSpec(spec, options...)
+
 	err = attacher.mounter.FormatAndMount(devicePath, deviceMountPath, fstype, mountOptions)
 	if err != nil {
 		os.Remove(deviceMountPath)
--- a/pkg/volume/rbd/rbd.go
+++ b/pkg/volume/rbd/rbd.go
@ -126,7 +126,7 @@ func (plugin *rbdPlugin) SupportsBulkVolumeVerification() bool {
 }

 func (plugin *rbdPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
-	return false, nil
+	return true, nil
 }

 func (plugin *rbdPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode {
@ -784,6 +784,7 @@ type rbd struct {
 	// Utility interface that provides API calls to the provider to attach/detach disks.
 	manager                   diskManager
 	volume.MetricsProvider    `json:"-"`
+	mountedWithSELinuxContext bool
 }

 var _ volume.Volume = &rbd{}
@ -837,7 +838,7 @@ func (rbd *rbd) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       rbd.ReadOnly,
 		Managed:        !rbd.ReadOnly,
-		SELinuxRelabel: true,
+		SELinuxRelabel: !rbd.mountedWithSELinuxContext,
 	}
 }

@ -853,6 +854,11 @@ func (b *rbdMounter) SetUpAt(dir string, mounterArgs volume.MounterArgs) error {
 		klog.Errorf("rbd: failed to setup at %s %v", dir, err)
 		return err
 	}
+	if utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
+		// The volume must have been mounted in MountDevice with -o context.
+		b.mountedWithSELinuxContext = mounterArgs.SELinuxLabel != ""
+	}
+
 	klog.V(3).Infof("rbd: successfully setup at %s", dir)
 	return err
 }