github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-30 23:15:14 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #33663 from pmorie/selinux-fixes

Browse Source 
Automatic merge from submit-queue

SELinux Overhaul

Overhauls handling of SELinux in Kubernetes.  TLDR: Kubelet dir no longer has to be labeled `svirt_sandbox_file_t`.

Fixes #33351 and #33510.  Implements #33951.
This commit is contained in:
Kubernetes Submit Queue 2016-11-01 05:04:17 -07:00 committed by GitHub
commit 44b684ad53
17 changed files with 81 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
hack/local-up-cluster.sh
View File

@ -418,18 +418,6 @@ function start_kubelet {
mkdir -p /var/lib/kubelet
if [[ -z "${DOCKERIZE_KUBELET}" ]]; then
# On selinux enabled systems, it might
# require to relabel /var/lib/kubelet
if which selinuxenabled &> /dev/null && \
selinuxenabled && \
which chcon > /dev/null ; then
if [[ ! $(ls -Zd /var/lib/kubelet) =~ system_u:object_r:svirt_sandbox_file_t:s0 ]] ; then
echo "Applying SELinux label to /var/lib/kubelet directory."
if ! sudo chcon -Rt svirt_sandbox_file_t /var/lib/kubelet; then
echo "Failed to apply selinux label to /var/lib/kubelet."
fi
fi
fi
# Enable dns
if [[ "${ENABLE_CLUSTER_DNS}" = true ]]; then
dns_args="--cluster-dns=${DNS_SERVER_IP} --cluster-domain=${DNS_DOMAIN}"
@ -509,7 +497,7 @@ function start_kubelet {
--volume=/var/run:/var/run:rw \
--volume=/sys:/sys:ro \
--volume=/var/lib/docker/:/var/lib/docker:ro \
--volume=/var/lib/kubelet/:/var/lib/kubelet:rw,z \
--volume=/var/lib/kubelet/:/var/lib/kubelet:rw \
--volume=/dev:/dev \
${cred_bind} \
--net=host \

14
hack/make-rules/test-e2e-node.sh
View File

@ -152,20 +152,6 @@ else
test_args="$test_args --disable-kubenet=true"
fi
# On selinux enabled systems, it might
# require to relabel /var/lib/kubelet
if which selinuxenabled &> /dev/null && \
selinuxenabled && \
which chcon > /dev/null ; then
mkdir -p /var/lib/kubelet
if [[ ! $(ls -Zd /var/lib/kubelet) =~ svirt_sandbox_file_t ]] ; then
echo "Applying SELinux label to /var/lib/kubelet directory."
if ! sudo chcon -Rt svirt_sandbox_file_t /var/lib/kubelet; then
echo "Failed to apply selinux label to /var/lib/kubelet."
fi
fi
fi
# Test using the host the script was run on
# Provided for backwards compatibility
go run test/e2e_node/runner/local/run_local.go --ginkgo-flags="$ginkgoflags" \

1
pkg/kubelet/BUILD
View File

@ -106,7 +106,6 @@ go_library(
"//pkg/util/oom:go_default_library",
"//pkg/util/procfs:go_default_library",
"//pkg/util/runtime:go_default_library",
"//pkg/util/selinux:go_default_library",
"//pkg/util/sets:go_default_library",
"//pkg/util/term:go_default_library",
"//pkg/util/validation:go_default_library",

1
pkg/kubelet/dockertools/BUILD
View File

@ -56,6 +56,7 @@ go_library(
"//pkg/util/oom:go_default_library",
"//pkg/util/procfs:go_default_library",
"//pkg/util/runtime:go_default_library",
"//pkg/util/selinux:go_default_library",
"//pkg/util/sets:go_default_library",
"//pkg/util/strings:go_default_library",
"//pkg/util/term:go_default_library",

23
pkg/kubelet/dockertools/docker_manager.go
View File

@ -65,6 +65,7 @@ import (
"k8s.io/kubernetes/pkg/util/oom"
"k8s.io/kubernetes/pkg/util/procfs"
utilruntime "k8s.io/kubernetes/pkg/util/runtime"
"k8s.io/kubernetes/pkg/util/selinux"
"k8s.io/kubernetes/pkg/util/sets"
utilstrings "k8s.io/kubernetes/pkg/util/strings"
"k8s.io/kubernetes/pkg/util/term"
@ -507,20 +508,14 @@ func makeEnvList(envs []kubecontainer.EnvVar) (result []string) {
// '<HostPath>:<ContainerPath>', or
// '<HostPath>:<ContainerPath>:ro', if the path is read only, or
// '<HostPath>:<ContainerPath>:Z', if the volume requires SELinux
// relabeling and the pod provides an SELinux label
func makeMountBindings(mounts []kubecontainer.Mount, podHasSELinuxLabel bool) (result []string) {
// relabeling
func makeMountBindings(mounts []kubecontainer.Mount) (result []string) {
for _, m := range mounts {
bind := fmt.Sprintf("%s:%s", m.HostPath, m.ContainerPath)
if m.ReadOnly {
bind += ":ro"
}
// Only request relabeling if the pod provides an
// SELinux context. If the pod does not provide an
// SELinux context relabeling will label the volume
// with the container's randomly allocated MCS label.
// This would restrict access to the volume to the
// container which mounts it first.
if m.SELinuxRelabel && podHasSELinuxLabel {
if m.SELinuxRelabel && selinux.SELinuxEnabled() {
if m.ReadOnly {
bind += ",Z"
} else {
@ -646,8 +641,7 @@ func (dm *DockerManager) runContainer(
{PathOnHost: "/dev/nvidia-uvm", PathInContainer: "/dev/nvidia-uvm", CgroupPermissions: "mrw"},
}
}
podHasSELinuxLabel := pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SELinuxOptions != nil
binds := makeMountBindings(opts.Mounts, podHasSELinuxLabel)
binds := makeMountBindings(opts.Mounts)
// The reason we create and mount the log file in here (not in kubelet) is because
// the file's location depends on the ID of the container, and we need to create and
// mount the file before actually starting the container.
@ -666,6 +660,13 @@ func (dm *DockerManager) runContainer(
} else {
fs.Close() // Close immediately; we're just doing a `touch` here
b := fmt.Sprintf("%s:%s", containerLogPath, container.TerminationMessagePath)
// Have docker relabel the termination log path if SELinux is
// enabled.
if selinux.SELinuxEnabled() {
b += ":Z"
}
binds = append(binds, b)
}
}

18
pkg/kubelet/kubelet_pods.go
View File

@ -133,10 +133,11 @@ func makeHostsMount(podDir, podIP, hostName, hostDomainName string) (*kubecontai
return nil, err
}
return &kubecontainer.Mount{
Name: "k8s-managed-etc-hosts",
ContainerPath: etcHostsPath,
HostPath: hostsFilePath,
ReadOnly: false,
Name: "k8s-managed-etc-hosts",
ContainerPath: etcHostsPath,
HostPath: hostsFilePath,
ReadOnly: false,
SELinuxRelabel: true,
}, nil
}
@ -251,15 +252,6 @@ func (kl *Kubelet) GenerateRunContainerOptions(pod *api.Pod, container *api.Cont
volumes := kl.volumeManager.GetMountedVolumesForPod(podName)
opts.PortMappings = makePortMappings(container)
// Docker does not relabel volumes if the container is running
// in the host pid or ipc namespaces so the kubelet must
// relabel the volumes
if pod.Spec.SecurityContext != nil && (pod.Spec.SecurityContext.HostIPC || pod.Spec.SecurityContext.HostPID) {
err = kl.relabelVolumes(pod, volumes)
if err != nil {
return nil, err
}
}
opts.Mounts, err = makeMounts(pod, kl.getPodDir(pod.UID), container, hostname, hostDomainName, podIP, volumes)
if err != nil {

48
pkg/kubelet/kubelet_volumes.go
View File

@ -19,16 +19,13 @@ package kubelet
import (
"fmt"
"os"
"path/filepath"
"github.com/golang/glog"
"k8s.io/kubernetes/pkg/api"
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
"k8s.io/kubernetes/pkg/securitycontext"
"k8s.io/kubernetes/pkg/types"
utilerrors "k8s.io/kubernetes/pkg/util/errors"
"k8s.io/kubernetes/pkg/util/mount"
"k8s.io/kubernetes/pkg/util/selinux"
"k8s.io/kubernetes/pkg/util/sets"
"k8s.io/kubernetes/pkg/volume"
volumetypes "k8s.io/kubernetes/pkg/volume/util/types"
@ -81,51 +78,6 @@ func (kl *Kubelet) newVolumeMounterFromPlugins(spec *volume.Spec, pod *api.Pod,
return physicalMounter, nil
}
// relabelVolumes relabels SELinux volumes to match the pod's
// SELinuxOptions specification. This is only needed if the pod uses
// hostPID or hostIPC. Otherwise relabeling is delegated to docker.
func (kl *Kubelet) relabelVolumes(pod *api.Pod, volumes kubecontainer.VolumeMap) error {
if pod.Spec.SecurityContext.SELinuxOptions == nil {
return nil
}
rootDirContext, err := kl.getRootDirContext()
if err != nil {
return err
}
selinuxRunner := selinux.NewSelinuxContextRunner()
// Apply the pod's Level to the rootDirContext
rootDirSELinuxOptions, err := securitycontext.ParseSELinuxOptions(rootDirContext)
if err != nil {
return err
}
rootDirSELinuxOptions.Level = pod.Spec.SecurityContext.SELinuxOptions.Level
volumeContext := fmt.Sprintf("%s:%s:%s:%s", rootDirSELinuxOptions.User, rootDirSELinuxOptions.Role, rootDirSELinuxOptions.Type, rootDirSELinuxOptions.Level)
for _, vol := range volumes {
if vol.Mounter.GetAttributes().Managed && vol.Mounter.GetAttributes().SupportsSELinux {
// Relabel the volume and its content to match the 'Level' of the pod
path, err := volume.GetPath(vol.Mounter)
if err != nil {
return err
}
err = filepath.Walk(path, func(path string, info os.FileInfo, err error) error {
if err != nil {
return err
}
return selinuxRunner.SetContext(path, volumeContext)
})
if err != nil {
return err
}
vol.SELinuxLabeled = true
}
}
return nil
}
// cleanupOrphanedPodDirs removes the volumes of pods that should not be
// running and that have no containers running.
func (kl *Kubelet) cleanupOrphanedPodDirs(

2
pkg/kubelet/rkt/rkt.go
View File

@ -1082,7 +1082,7 @@ func (r *Runtime) preparePodArgs(manifest *appcschema.PodManifest, manifestFileN
}
func (r *Runtime) getSelinuxContext(opt *api.SELinuxOptions) (string, error) {
selinuxRunner := selinux.NewSelinuxContextRunner()
selinuxRunner := selinux.NewSELinuxRunner()
str, err := selinuxRunner.Getfilecon(r.config.Dir)
if err != nil {
return "", err

3
pkg/util/selinux/doc.go
View File

@ -14,5 +14,6 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
// Package selinux contains selinux utility functions.
// Package selinux contains wrapper functions for the libcontainer SELinux
// package. A NOP implementation is provided for non-linux platforms.
package selinux // import "k8s.io/kubernetes/pkg/util/selinux"

24
pkg/util/selinux/selinux.go
View File

@ -16,14 +16,24 @@ limitations under the License.
package selinux
// SelinuxContextRunner knows how to chcon of a directory and
// how to get the selinux context of a file.
type SelinuxContextRunner interface {
SetContext(dir, context string) error
// Note: the libcontainer SELinux package is only built for Linux, so it is
// necessary to have a NOP wrapper which is built for non-Linux platforms to
// allow code that links to this package not to differentiate its own methods
// for Linux and non-Linux platforms.
//
// SELinuxRunner wraps certain libcontainer SELinux calls. For more
// information, see:
//
// https://github.com/opencontainers/runc/blob/master/libcontainer/selinux/selinux.go
type SELinuxRunner interface {
// Getfilecon returns the SELinux context for the given path or returns an
// error.
Getfilecon(path string) (string, error)
}
// NewSelinuxContextRunner returns a new chconRunner.
func NewSelinuxContextRunner() SelinuxContextRunner {
return &realSelinuxContextRunner{}
// NewSELinuxRunner returns a new SELinuxRunner appropriate for the platform.
// On Linux, all methods short-circuit and return NOP values if SELinux is
// disabled. On non-Linux platforms, a NOP implementation is returned.
func NewSELinuxRunner() SELinuxRunner {
return &realSELinuxRunner{}
}

37
pkg/util/selinux/selinux_linux.go
View File

@ -19,25 +19,34 @@ limitations under the License.
package selinux
import (
"fmt"
"github.com/opencontainers/runc/libcontainer/selinux"
)
type realSelinuxContextRunner struct{}
func (_ *realSelinuxContextRunner) SetContext(dir, context string) error {
// If SELinux is not enabled, return an empty string
if !selinux.SelinuxEnabled() {
return nil
}
return selinux.Setfilecon(dir, context)
// SELinuxEnabled returns whether SELinux is enabled on the system. SELinux
// has a tri-state:
//
// 1. disabled: SELinux Kernel modules not loaded, SELinux policy is not
// checked during Kernel MAC checks
// 2. enforcing: Enabled; SELinux policy violations are denied and logged
// in the audit log
// 3. permissive: Enabled, but SELinux policy violations are permitted and
// logged in the audit log
//
// SELinuxEnabled returns true if SELinux is enforcing or permissive, and
// false if it is disabled.
func SELinuxEnabled() bool {
return selinux.SelinuxEnabled()
}
func (_ *realSelinuxContextRunner) Getfilecon(path string) (string, error) {
if !selinux.SelinuxEnabled() {
return "", fmt.Errorf("SELinux is not enabled")
// realSELinuxRunner is the real implementation of SELinuxRunner interface for
// Linux.
type realSELinuxRunner struct{}
var _ SELinuxRunner = &realSELinuxRunner{}
func (_ *realSELinuxRunner) Getfilecon(path string) (string, error) {
if !SELinuxEnabled() {
return "", nil
}
return selinux.Getfilecon(path)
}

16
pkg/util/selinux/selinux_unsupported.go
View File

@ -18,14 +18,16 @@ limitations under the License.
package selinux
type realSelinuxContextRunner struct{}
func (_ *realSelinuxContextRunner) SetContext(dir, context string) error {
// NOP
return nil
// SELinuxEnabled always returns false on non-linux platforms.
func SELinuxEnabled() bool {
return false
}
func (_ *realSelinuxContextRunner) Getfilecon(path string) (string, error) {
// NOP
// realSELinuxRunner is the NOP implementation of the SELinuxRunner interface.
type realSELinuxRunner struct{}
var _ SELinuxRunner = &realSELinuxRunner{}
func (_ *realSELinuxRunner) Getfilecon(path string) (string, error) {
return "", nil
}

1
pkg/volume/empty_dir/BUILD
View File

@ -26,7 +26,6 @@ go_library(
"//pkg/volume:go_default_library",
"//pkg/volume/util:go_default_library",
"//vendor:github.com/golang/glog",
"//vendor:github.com/opencontainers/runc/libcontainer/selinux",
],
)

25
pkg/volume/empty_dir/empty_dir.go
View File

@ -105,7 +105,6 @@ func (plugin *emptyDirPlugin) newMounterInternal(spec *volume.Spec, pod *api.Pod
mounter: mounter,
mountDetector: mountDetector,
plugin: plugin,
rootContext: plugin.host.GetRootContext(),
MetricsProvider: volume.NewMetricsDu(getPath(pod.UID, spec.Name(), plugin.host)),
}, nil
}
@ -164,7 +163,6 @@ type emptyDir struct {
mounter mount.Interface
mountDetector mountDetector
plugin *emptyDirPlugin
rootContext string
volume.MetricsProvider
}
@ -202,17 +200,11 @@ func (ed *emptyDir) SetUpAt(dir string, fsGroup *int64) error {
}
}
// Determine the effective SELinuxOptions to use for this volume.
securityContext := ""
if selinuxEnabled() {
securityContext = ed.rootContext
}
switch ed.medium {
case api.StorageMediumDefault:
err = ed.setupDir(dir)
case api.StorageMediumMemory:
err = ed.setupTmpfs(dir, securityContext)
err = ed.setupTmpfs(dir)
default:
err = fmt.Errorf("unknown storage medium %q", ed.medium)
}
@ -228,7 +220,7 @@ func (ed *emptyDir) SetUpAt(dir string, fsGroup *int64) error {
// setupTmpfs creates a tmpfs mount at the specified directory with the
// specified SELinux context.
func (ed *emptyDir) setupTmpfs(dir string, selinux string) error {
func (ed *emptyDir) setupTmpfs(dir string) error {
if ed.mounter == nil {
return fmt.Errorf("memory storage requested, but mounter is nil")
}
@ -246,17 +238,8 @@ func (ed *emptyDir) setupTmpfs(dir string, selinux string) error {
return nil
}
// By default a tmpfs mount will receive a different SELinux context
// which is not readable from the SELinux context of a docker container.
var opts []string
if selinux != "" {
opts = []string{fmt.Sprintf("rootcontext=\"%v\"", selinux)}
} else {
opts = []string{}
}
glog.V(3).Infof("pod %v: mounting tmpfs for volume %v with opts %v", ed.pod.UID, ed.volName, opts)
return ed.mounter.Mount("tmpfs", dir, "tmpfs", opts)
glog.V(3).Infof("pod %v: mounting tmpfs for volume %v", ed.pod.UID, ed.volName)
return ed.mounter.Mount("tmpfs", dir, "tmpfs", nil /* options */)
}
// setupDir creates the directory with the specified SELinux context and

6
pkg/volume/empty_dir/empty_dir_linux.go
View File

@ -23,7 +23,6 @@ import (
"syscall"
"github.com/golang/glog"
"github.com/opencontainers/runc/libcontainer/selinux"
"k8s.io/kubernetes/pkg/util/mount"
)
@ -52,8 +51,3 @@ func (m *realMountDetector) GetMountMedium(path string) (storageMedium, bool, er
}
return mediumUnknown, !notMnt, nil
}
// selinuxEnabled determines whether SELinux is enabled.
func selinuxEnabled() bool {
return selinux.SelinuxEnabled()
}

61
pkg/volume/empty_dir/empty_dir_test.go
View File

@ -33,9 +33,9 @@ import (
)
// Construct an instance of a plugin, by name.
func makePluginUnderTest(t *testing.T, plugName, basePath, rootContext string) volume.VolumePlugin {
func makePluginUnderTest(t *testing.T, plugName, basePath string) volume.VolumePlugin {
plugMgr := volume.VolumePluginMgr{}
plugMgr.InitPlugins(ProbeVolumePlugins(), volumetest.NewFakeVolumeHost(basePath, nil, nil, rootContext))
plugMgr.InitPlugins(ProbeVolumePlugins(), volumetest.NewFakeVolumeHost(basePath, nil, nil, "" /* rootContext */))
plug, err := plugMgr.FindPluginByName(plugName)
if err != nil {
@ -50,7 +50,7 @@ func TestCanSupport(t *testing.T) {
t.Fatalf("can't make a temp dir: %v", err)
}
defer os.RemoveAll(tmpDir)
plug := makePluginUnderTest(t, "kubernetes.io/empty-dir", tmpDir, "" /* rootContext */)
plug := makePluginUnderTest(t, "kubernetes.io/empty-dir", tmpDir)
if plug.GetPluginName() != "kubernetes.io/empty-dir" {
t.Errorf("Wrong name: %s", plug.GetPluginName())
@ -75,44 +75,13 @@ func (fake *fakeMountDetector) GetMountMedium(path string) (storageMedium, bool,
func TestPluginEmptyRootContext(t *testing.T) {
doTestPlugin(t, pluginTestConfig{
medium: api.StorageMediumDefault,
rootContext: "",
expectedSetupMounts: 0,
expectedTeardownMounts: 0})
}
func TestPluginRootContextSet(t *testing.T) {
if !selinuxEnabled() {
return
}
doTestPlugin(t, pluginTestConfig{
medium: api.StorageMediumDefault,
rootContext: "user:role:type:range",
expectedSELinux: "user:role:type:range",
expectedSetupMounts: 0,
expectedTeardownMounts: 0})
}
func TestPluginTmpfs(t *testing.T) {
if !selinuxEnabled() {
return
}
doTestPlugin(t, pluginTestConfig{
medium: api.StorageMediumMemory,
rootContext: "user:role:type:range",
expectedSELinux: "user:role:type:range",
expectedSetupMounts: 1,
shouldBeMountedBeforeTeardown: true,
expectedTeardownMounts: 1})
}
type pluginTestConfig struct {
medium api.StorageMedium
rootContext string
SELinuxOptions *api.SELinuxOptions
idempotent bool
expectedSELinux string
expectedSetupMounts int
shouldBeMountedBeforeTeardown bool
expectedTeardownMounts int
@ -130,7 +99,7 @@ func doTestPlugin(t *testing.T, config pluginTestConfig) {
volumePath = path.Join(basePath, "pods/poduid/volumes/kubernetes.io~empty-dir/test-volume")
metadataDir = path.Join(basePath, "pods/poduid/plugins/kubernetes.io~empty-dir/test-volume")
plug = makePluginUnderTest(t, "kubernetes.io/empty-dir", basePath, config.rootContext)
plug = makePluginUnderTest(t, "kubernetes.io/empty-dir", basePath)
volumeName = "test-volume"
spec = &api.Volume{
Name: volumeName,
@ -142,24 +111,6 @@ func doTestPlugin(t *testing.T, config pluginTestConfig) {
pod = &api.Pod{ObjectMeta: api.ObjectMeta{UID: types.UID("poduid")}}
)
// Set up the SELinux options on the pod
if config.SELinuxOptions != nil {
pod.Spec = api.PodSpec{
Containers: []api.Container{
{
SecurityContext: &api.SecurityContext{
SELinuxOptions: config.SELinuxOptions,
},
VolumeMounts: []api.VolumeMount{
{
Name: volumeName,
},
},
},
},
}
}
if config.idempotent {
physicalMounter.MountPoints = []mount.MountPoint{
{
@ -258,7 +209,7 @@ func TestPluginBackCompat(t *testing.T) {
}
defer os.RemoveAll(basePath)
plug := makePluginUnderTest(t, "kubernetes.io/empty-dir", basePath, "" /* rootContext */)
plug := makePluginUnderTest(t, "kubernetes.io/empty-dir", basePath)
spec := &api.Volume{
Name: "vol1",
@ -287,7 +238,7 @@ func TestMetrics(t *testing.T) {
}
defer os.RemoveAll(tmpDir)
plug := makePluginUnderTest(t, "kubernetes.io/empty-dir", tmpDir, "" /* rootContext */)
plug := makePluginUnderTest(t, "kubernetes.io/empty-dir", tmpDir)
spec := &api.Volume{
Name: "vol1",

4
pkg/volume/empty_dir/empty_dir_unsupported.go
View File

@ -30,7 +30,3 @@ type realMountDetector struct {
func (m *realMountDetector) GetMountMedium(path string) (storageMedium, bool, error) {
return mediumUnknown, false, nil
}
func selinuxEnabled() bool {
return false
}