diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index 78c1701c001..10c370ba5d7 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -418,18 +418,6 @@ function start_kubelet { mkdir -p /var/lib/kubelet if [[ -z "${DOCKERIZE_KUBELET}" ]]; then - # On selinux enabled systems, it might - # require to relabel /var/lib/kubelet - if which selinuxenabled &> /dev/null && \ - selinuxenabled && \ - which chcon > /dev/null ; then - if [[ ! $(ls -Zd /var/lib/kubelet) =~ system_u:object_r:svirt_sandbox_file_t:s0 ]] ; then - echo "Applying SELinux label to /var/lib/kubelet directory." - if ! sudo chcon -Rt svirt_sandbox_file_t /var/lib/kubelet; then - echo "Failed to apply selinux label to /var/lib/kubelet." - fi - fi - fi # Enable dns if [[ "${ENABLE_CLUSTER_DNS}" = true ]]; then dns_args="--cluster-dns=${DNS_SERVER_IP} --cluster-domain=${DNS_DOMAIN}" @@ -509,7 +497,7 @@ function start_kubelet { --volume=/var/run:/var/run:rw \ --volume=/sys:/sys:ro \ --volume=/var/lib/docker/:/var/lib/docker:ro \ - --volume=/var/lib/kubelet/:/var/lib/kubelet:rw,z \ + --volume=/var/lib/kubelet/:/var/lib/kubelet:rw \ --volume=/dev:/dev \ ${cred_bind} \ --net=host \ diff --git a/hack/make-rules/test-e2e-node.sh b/hack/make-rules/test-e2e-node.sh index 8213de40c22..7198af9df36 100755 --- a/hack/make-rules/test-e2e-node.sh +++ b/hack/make-rules/test-e2e-node.sh @@ -152,20 +152,6 @@ else test_args="$test_args --disable-kubenet=true" fi - # On selinux enabled systems, it might - # require to relabel /var/lib/kubelet - if which selinuxenabled &> /dev/null && \ - selinuxenabled && \ - which chcon > /dev/null ; then - mkdir -p /var/lib/kubelet - if [[ ! $(ls -Zd /var/lib/kubelet) =~ svirt_sandbox_file_t ]] ; then - echo "Applying SELinux label to /var/lib/kubelet directory." - if ! sudo chcon -Rt svirt_sandbox_file_t /var/lib/kubelet; then - echo "Failed to apply selinux label to /var/lib/kubelet." - fi - fi - fi - # Test using the host the script was run on # Provided for backwards compatibility go run test/e2e_node/runner/local/run_local.go --ginkgo-flags="$ginkgoflags" \ diff --git a/pkg/kubelet/BUILD b/pkg/kubelet/BUILD index af11325274c..444e241389f 100644 --- a/pkg/kubelet/BUILD +++ b/pkg/kubelet/BUILD @@ -106,7 +106,6 @@ go_library( "//pkg/util/oom:go_default_library", "//pkg/util/procfs:go_default_library", "//pkg/util/runtime:go_default_library", - "//pkg/util/selinux:go_default_library", "//pkg/util/sets:go_default_library", "//pkg/util/term:go_default_library", "//pkg/util/validation:go_default_library", diff --git a/pkg/kubelet/dockertools/BUILD b/pkg/kubelet/dockertools/BUILD index 690da58bb2b..ccf2542ddbe 100644 --- a/pkg/kubelet/dockertools/BUILD +++ b/pkg/kubelet/dockertools/BUILD @@ -56,6 +56,7 @@ go_library( "//pkg/util/oom:go_default_library", "//pkg/util/procfs:go_default_library", "//pkg/util/runtime:go_default_library", + "//pkg/util/selinux:go_default_library", "//pkg/util/sets:go_default_library", "//pkg/util/strings:go_default_library", "//pkg/util/term:go_default_library", diff --git a/pkg/kubelet/dockertools/docker_manager.go b/pkg/kubelet/dockertools/docker_manager.go index 90ece063cc6..175541be105 100644 --- a/pkg/kubelet/dockertools/docker_manager.go +++ b/pkg/kubelet/dockertools/docker_manager.go @@ -65,6 +65,7 @@ import ( "k8s.io/kubernetes/pkg/util/oom" "k8s.io/kubernetes/pkg/util/procfs" utilruntime "k8s.io/kubernetes/pkg/util/runtime" + "k8s.io/kubernetes/pkg/util/selinux" "k8s.io/kubernetes/pkg/util/sets" utilstrings "k8s.io/kubernetes/pkg/util/strings" "k8s.io/kubernetes/pkg/util/term" @@ -507,20 +508,14 @@ func makeEnvList(envs []kubecontainer.EnvVar) (result []string) { // ':', or // '::ro', if the path is read only, or // '::Z', if the volume requires SELinux -// relabeling and the pod provides an SELinux label -func makeMountBindings(mounts []kubecontainer.Mount, podHasSELinuxLabel bool) (result []string) { +// relabeling +func makeMountBindings(mounts []kubecontainer.Mount) (result []string) { for _, m := range mounts { bind := fmt.Sprintf("%s:%s", m.HostPath, m.ContainerPath) if m.ReadOnly { bind += ":ro" } - // Only request relabeling if the pod provides an - // SELinux context. If the pod does not provide an - // SELinux context relabeling will label the volume - // with the container's randomly allocated MCS label. - // This would restrict access to the volume to the - // container which mounts it first. - if m.SELinuxRelabel && podHasSELinuxLabel { + if m.SELinuxRelabel && selinux.SELinuxEnabled() { if m.ReadOnly { bind += ",Z" } else { @@ -646,8 +641,7 @@ func (dm *DockerManager) runContainer( {PathOnHost: "/dev/nvidia-uvm", PathInContainer: "/dev/nvidia-uvm", CgroupPermissions: "mrw"}, } } - podHasSELinuxLabel := pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SELinuxOptions != nil - binds := makeMountBindings(opts.Mounts, podHasSELinuxLabel) + binds := makeMountBindings(opts.Mounts) // The reason we create and mount the log file in here (not in kubelet) is because // the file's location depends on the ID of the container, and we need to create and // mount the file before actually starting the container. @@ -666,6 +660,13 @@ func (dm *DockerManager) runContainer( } else { fs.Close() // Close immediately; we're just doing a `touch` here b := fmt.Sprintf("%s:%s", containerLogPath, container.TerminationMessagePath) + + // Have docker relabel the termination log path if SELinux is + // enabled. + if selinux.SELinuxEnabled() { + b += ":Z" + } + binds = append(binds, b) } } diff --git a/pkg/kubelet/kubelet_pods.go b/pkg/kubelet/kubelet_pods.go index d0c7d6068fa..f1aa878a38b 100644 --- a/pkg/kubelet/kubelet_pods.go +++ b/pkg/kubelet/kubelet_pods.go @@ -133,10 +133,11 @@ func makeHostsMount(podDir, podIP, hostName, hostDomainName string) (*kubecontai return nil, err } return &kubecontainer.Mount{ - Name: "k8s-managed-etc-hosts", - ContainerPath: etcHostsPath, - HostPath: hostsFilePath, - ReadOnly: false, + Name: "k8s-managed-etc-hosts", + ContainerPath: etcHostsPath, + HostPath: hostsFilePath, + ReadOnly: false, + SELinuxRelabel: true, }, nil } @@ -251,15 +252,6 @@ func (kl *Kubelet) GenerateRunContainerOptions(pod *api.Pod, container *api.Cont volumes := kl.volumeManager.GetMountedVolumesForPod(podName) opts.PortMappings = makePortMappings(container) - // Docker does not relabel volumes if the container is running - // in the host pid or ipc namespaces so the kubelet must - // relabel the volumes - if pod.Spec.SecurityContext != nil && (pod.Spec.SecurityContext.HostIPC || pod.Spec.SecurityContext.HostPID) { - err = kl.relabelVolumes(pod, volumes) - if err != nil { - return nil, err - } - } opts.Mounts, err = makeMounts(pod, kl.getPodDir(pod.UID), container, hostname, hostDomainName, podIP, volumes) if err != nil { diff --git a/pkg/kubelet/kubelet_volumes.go b/pkg/kubelet/kubelet_volumes.go index 11f8aa19649..c7ae64050a6 100644 --- a/pkg/kubelet/kubelet_volumes.go +++ b/pkg/kubelet/kubelet_volumes.go @@ -19,16 +19,13 @@ package kubelet import ( "fmt" "os" - "path/filepath" "github.com/golang/glog" "k8s.io/kubernetes/pkg/api" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" - "k8s.io/kubernetes/pkg/securitycontext" "k8s.io/kubernetes/pkg/types" utilerrors "k8s.io/kubernetes/pkg/util/errors" "k8s.io/kubernetes/pkg/util/mount" - "k8s.io/kubernetes/pkg/util/selinux" "k8s.io/kubernetes/pkg/util/sets" "k8s.io/kubernetes/pkg/volume" volumetypes "k8s.io/kubernetes/pkg/volume/util/types" @@ -81,51 +78,6 @@ func (kl *Kubelet) newVolumeMounterFromPlugins(spec *volume.Spec, pod *api.Pod, return physicalMounter, nil } -// relabelVolumes relabels SELinux volumes to match the pod's -// SELinuxOptions specification. This is only needed if the pod uses -// hostPID or hostIPC. Otherwise relabeling is delegated to docker. -func (kl *Kubelet) relabelVolumes(pod *api.Pod, volumes kubecontainer.VolumeMap) error { - if pod.Spec.SecurityContext.SELinuxOptions == nil { - return nil - } - - rootDirContext, err := kl.getRootDirContext() - if err != nil { - return err - } - - selinuxRunner := selinux.NewSelinuxContextRunner() - // Apply the pod's Level to the rootDirContext - rootDirSELinuxOptions, err := securitycontext.ParseSELinuxOptions(rootDirContext) - if err != nil { - return err - } - - rootDirSELinuxOptions.Level = pod.Spec.SecurityContext.SELinuxOptions.Level - volumeContext := fmt.Sprintf("%s:%s:%s:%s", rootDirSELinuxOptions.User, rootDirSELinuxOptions.Role, rootDirSELinuxOptions.Type, rootDirSELinuxOptions.Level) - - for _, vol := range volumes { - if vol.Mounter.GetAttributes().Managed && vol.Mounter.GetAttributes().SupportsSELinux { - // Relabel the volume and its content to match the 'Level' of the pod - path, err := volume.GetPath(vol.Mounter) - if err != nil { - return err - } - err = filepath.Walk(path, func(path string, info os.FileInfo, err error) error { - if err != nil { - return err - } - return selinuxRunner.SetContext(path, volumeContext) - }) - if err != nil { - return err - } - vol.SELinuxLabeled = true - } - } - return nil -} - // cleanupOrphanedPodDirs removes the volumes of pods that should not be // running and that have no containers running. func (kl *Kubelet) cleanupOrphanedPodDirs( diff --git a/pkg/kubelet/rkt/rkt.go b/pkg/kubelet/rkt/rkt.go index 9f8595792d6..16cb0db6b8e 100644 --- a/pkg/kubelet/rkt/rkt.go +++ b/pkg/kubelet/rkt/rkt.go @@ -1082,7 +1082,7 @@ func (r *Runtime) preparePodArgs(manifest *appcschema.PodManifest, manifestFileN } func (r *Runtime) getSelinuxContext(opt *api.SELinuxOptions) (string, error) { - selinuxRunner := selinux.NewSelinuxContextRunner() + selinuxRunner := selinux.NewSELinuxRunner() str, err := selinuxRunner.Getfilecon(r.config.Dir) if err != nil { return "", err diff --git a/pkg/util/selinux/doc.go b/pkg/util/selinux/doc.go index 5061cd6bc86..2757203f93c 100644 --- a/pkg/util/selinux/doc.go +++ b/pkg/util/selinux/doc.go @@ -14,5 +14,6 @@ See the License for the specific language governing permissions and limitations under the License. */ -// Package selinux contains selinux utility functions. +// Package selinux contains wrapper functions for the libcontainer SELinux +// package. A NOP implementation is provided for non-linux platforms. package selinux // import "k8s.io/kubernetes/pkg/util/selinux" diff --git a/pkg/util/selinux/selinux.go b/pkg/util/selinux/selinux.go index c8c42afbd8e..c367f7bbe7c 100644 --- a/pkg/util/selinux/selinux.go +++ b/pkg/util/selinux/selinux.go @@ -16,14 +16,24 @@ limitations under the License. package selinux -// SelinuxContextRunner knows how to chcon of a directory and -// how to get the selinux context of a file. -type SelinuxContextRunner interface { - SetContext(dir, context string) error +// Note: the libcontainer SELinux package is only built for Linux, so it is +// necessary to have a NOP wrapper which is built for non-Linux platforms to +// allow code that links to this package not to differentiate its own methods +// for Linux and non-Linux platforms. +// +// SELinuxRunner wraps certain libcontainer SELinux calls. For more +// information, see: +// +// https://github.com/opencontainers/runc/blob/master/libcontainer/selinux/selinux.go +type SELinuxRunner interface { + // Getfilecon returns the SELinux context for the given path or returns an + // error. Getfilecon(path string) (string, error) } -// NewSelinuxContextRunner returns a new chconRunner. -func NewSelinuxContextRunner() SelinuxContextRunner { - return &realSelinuxContextRunner{} +// NewSELinuxRunner returns a new SELinuxRunner appropriate for the platform. +// On Linux, all methods short-circuit and return NOP values if SELinux is +// disabled. On non-Linux platforms, a NOP implementation is returned. +func NewSELinuxRunner() SELinuxRunner { + return &realSELinuxRunner{} } diff --git a/pkg/util/selinux/selinux_linux.go b/pkg/util/selinux/selinux_linux.go index f3c720561a0..47d35c91cb3 100644 --- a/pkg/util/selinux/selinux_linux.go +++ b/pkg/util/selinux/selinux_linux.go @@ -19,25 +19,34 @@ limitations under the License. package selinux import ( - "fmt" - "github.com/opencontainers/runc/libcontainer/selinux" ) -type realSelinuxContextRunner struct{} - -func (_ *realSelinuxContextRunner) SetContext(dir, context string) error { - // If SELinux is not enabled, return an empty string - if !selinux.SelinuxEnabled() { - return nil - } - - return selinux.Setfilecon(dir, context) +// SELinuxEnabled returns whether SELinux is enabled on the system. SELinux +// has a tri-state: +// +// 1. disabled: SELinux Kernel modules not loaded, SELinux policy is not +// checked during Kernel MAC checks +// 2. enforcing: Enabled; SELinux policy violations are denied and logged +// in the audit log +// 3. permissive: Enabled, but SELinux policy violations are permitted and +// logged in the audit log +// +// SELinuxEnabled returns true if SELinux is enforcing or permissive, and +// false if it is disabled. +func SELinuxEnabled() bool { + return selinux.SelinuxEnabled() } -func (_ *realSelinuxContextRunner) Getfilecon(path string) (string, error) { - if !selinux.SelinuxEnabled() { - return "", fmt.Errorf("SELinux is not enabled") +// realSELinuxRunner is the real implementation of SELinuxRunner interface for +// Linux. +type realSELinuxRunner struct{} + +var _ SELinuxRunner = &realSELinuxRunner{} + +func (_ *realSELinuxRunner) Getfilecon(path string) (string, error) { + if !SELinuxEnabled() { + return "", nil } return selinux.Getfilecon(path) } diff --git a/pkg/util/selinux/selinux_unsupported.go b/pkg/util/selinux/selinux_unsupported.go index 22a2f1a94b9..4f7767472c9 100644 --- a/pkg/util/selinux/selinux_unsupported.go +++ b/pkg/util/selinux/selinux_unsupported.go @@ -18,14 +18,16 @@ limitations under the License. package selinux -type realSelinuxContextRunner struct{} - -func (_ *realSelinuxContextRunner) SetContext(dir, context string) error { - // NOP - return nil +// SELinuxEnabled always returns false on non-linux platforms. +func SELinuxEnabled() bool { + return false } -func (_ *realSelinuxContextRunner) Getfilecon(path string) (string, error) { - // NOP +// realSELinuxRunner is the NOP implementation of the SELinuxRunner interface. +type realSELinuxRunner struct{} + +var _ SELinuxRunner = &realSELinuxRunner{} + +func (_ *realSELinuxRunner) Getfilecon(path string) (string, error) { return "", nil } diff --git a/pkg/volume/empty_dir/BUILD b/pkg/volume/empty_dir/BUILD index c6725f7d50b..8b6df93f068 100644 --- a/pkg/volume/empty_dir/BUILD +++ b/pkg/volume/empty_dir/BUILD @@ -26,7 +26,6 @@ go_library( "//pkg/volume:go_default_library", "//pkg/volume/util:go_default_library", "//vendor:github.com/golang/glog", - "//vendor:github.com/opencontainers/runc/libcontainer/selinux", ], ) diff --git a/pkg/volume/empty_dir/empty_dir.go b/pkg/volume/empty_dir/empty_dir.go index 2a545945d03..96f1ad30909 100644 --- a/pkg/volume/empty_dir/empty_dir.go +++ b/pkg/volume/empty_dir/empty_dir.go @@ -105,7 +105,6 @@ func (plugin *emptyDirPlugin) newMounterInternal(spec *volume.Spec, pod *api.Pod mounter: mounter, mountDetector: mountDetector, plugin: plugin, - rootContext: plugin.host.GetRootContext(), MetricsProvider: volume.NewMetricsDu(getPath(pod.UID, spec.Name(), plugin.host)), }, nil } @@ -164,7 +163,6 @@ type emptyDir struct { mounter mount.Interface mountDetector mountDetector plugin *emptyDirPlugin - rootContext string volume.MetricsProvider } @@ -202,17 +200,11 @@ func (ed *emptyDir) SetUpAt(dir string, fsGroup *int64) error { } } - // Determine the effective SELinuxOptions to use for this volume. - securityContext := "" - if selinuxEnabled() { - securityContext = ed.rootContext - } - switch ed.medium { case api.StorageMediumDefault: err = ed.setupDir(dir) case api.StorageMediumMemory: - err = ed.setupTmpfs(dir, securityContext) + err = ed.setupTmpfs(dir) default: err = fmt.Errorf("unknown storage medium %q", ed.medium) } @@ -228,7 +220,7 @@ func (ed *emptyDir) SetUpAt(dir string, fsGroup *int64) error { // setupTmpfs creates a tmpfs mount at the specified directory with the // specified SELinux context. -func (ed *emptyDir) setupTmpfs(dir string, selinux string) error { +func (ed *emptyDir) setupTmpfs(dir string) error { if ed.mounter == nil { return fmt.Errorf("memory storage requested, but mounter is nil") } @@ -246,17 +238,8 @@ func (ed *emptyDir) setupTmpfs(dir string, selinux string) error { return nil } - // By default a tmpfs mount will receive a different SELinux context - // which is not readable from the SELinux context of a docker container. - var opts []string - if selinux != "" { - opts = []string{fmt.Sprintf("rootcontext=\"%v\"", selinux)} - } else { - opts = []string{} - } - - glog.V(3).Infof("pod %v: mounting tmpfs for volume %v with opts %v", ed.pod.UID, ed.volName, opts) - return ed.mounter.Mount("tmpfs", dir, "tmpfs", opts) + glog.V(3).Infof("pod %v: mounting tmpfs for volume %v", ed.pod.UID, ed.volName) + return ed.mounter.Mount("tmpfs", dir, "tmpfs", nil /* options */) } // setupDir creates the directory with the specified SELinux context and diff --git a/pkg/volume/empty_dir/empty_dir_linux.go b/pkg/volume/empty_dir/empty_dir_linux.go index 41e474f9d77..0902e58d38e 100644 --- a/pkg/volume/empty_dir/empty_dir_linux.go +++ b/pkg/volume/empty_dir/empty_dir_linux.go @@ -23,7 +23,6 @@ import ( "syscall" "github.com/golang/glog" - "github.com/opencontainers/runc/libcontainer/selinux" "k8s.io/kubernetes/pkg/util/mount" ) @@ -52,8 +51,3 @@ func (m *realMountDetector) GetMountMedium(path string) (storageMedium, bool, er } return mediumUnknown, !notMnt, nil } - -// selinuxEnabled determines whether SELinux is enabled. -func selinuxEnabled() bool { - return selinux.SelinuxEnabled() -} diff --git a/pkg/volume/empty_dir/empty_dir_test.go b/pkg/volume/empty_dir/empty_dir_test.go index ea5c7da80c5..26a6f3ff506 100644 --- a/pkg/volume/empty_dir/empty_dir_test.go +++ b/pkg/volume/empty_dir/empty_dir_test.go @@ -33,9 +33,9 @@ import ( ) // Construct an instance of a plugin, by name. -func makePluginUnderTest(t *testing.T, plugName, basePath, rootContext string) volume.VolumePlugin { +func makePluginUnderTest(t *testing.T, plugName, basePath string) volume.VolumePlugin { plugMgr := volume.VolumePluginMgr{} - plugMgr.InitPlugins(ProbeVolumePlugins(), volumetest.NewFakeVolumeHost(basePath, nil, nil, rootContext)) + plugMgr.InitPlugins(ProbeVolumePlugins(), volumetest.NewFakeVolumeHost(basePath, nil, nil, "" /* rootContext */)) plug, err := plugMgr.FindPluginByName(plugName) if err != nil { @@ -50,7 +50,7 @@ func TestCanSupport(t *testing.T) { t.Fatalf("can't make a temp dir: %v", err) } defer os.RemoveAll(tmpDir) - plug := makePluginUnderTest(t, "kubernetes.io/empty-dir", tmpDir, "" /* rootContext */) + plug := makePluginUnderTest(t, "kubernetes.io/empty-dir", tmpDir) if plug.GetPluginName() != "kubernetes.io/empty-dir" { t.Errorf("Wrong name: %s", plug.GetPluginName()) @@ -75,44 +75,13 @@ func (fake *fakeMountDetector) GetMountMedium(path string) (storageMedium, bool, func TestPluginEmptyRootContext(t *testing.T) { doTestPlugin(t, pluginTestConfig{ medium: api.StorageMediumDefault, - rootContext: "", expectedSetupMounts: 0, expectedTeardownMounts: 0}) } -func TestPluginRootContextSet(t *testing.T) { - if !selinuxEnabled() { - return - } - - doTestPlugin(t, pluginTestConfig{ - medium: api.StorageMediumDefault, - rootContext: "user:role:type:range", - expectedSELinux: "user:role:type:range", - expectedSetupMounts: 0, - expectedTeardownMounts: 0}) -} - -func TestPluginTmpfs(t *testing.T) { - if !selinuxEnabled() { - return - } - - doTestPlugin(t, pluginTestConfig{ - medium: api.StorageMediumMemory, - rootContext: "user:role:type:range", - expectedSELinux: "user:role:type:range", - expectedSetupMounts: 1, - shouldBeMountedBeforeTeardown: true, - expectedTeardownMounts: 1}) -} - type pluginTestConfig struct { medium api.StorageMedium - rootContext string - SELinuxOptions *api.SELinuxOptions idempotent bool - expectedSELinux string expectedSetupMounts int shouldBeMountedBeforeTeardown bool expectedTeardownMounts int @@ -130,7 +99,7 @@ func doTestPlugin(t *testing.T, config pluginTestConfig) { volumePath = path.Join(basePath, "pods/poduid/volumes/kubernetes.io~empty-dir/test-volume") metadataDir = path.Join(basePath, "pods/poduid/plugins/kubernetes.io~empty-dir/test-volume") - plug = makePluginUnderTest(t, "kubernetes.io/empty-dir", basePath, config.rootContext) + plug = makePluginUnderTest(t, "kubernetes.io/empty-dir", basePath) volumeName = "test-volume" spec = &api.Volume{ Name: volumeName, @@ -142,24 +111,6 @@ func doTestPlugin(t *testing.T, config pluginTestConfig) { pod = &api.Pod{ObjectMeta: api.ObjectMeta{UID: types.UID("poduid")}} ) - // Set up the SELinux options on the pod - if config.SELinuxOptions != nil { - pod.Spec = api.PodSpec{ - Containers: []api.Container{ - { - SecurityContext: &api.SecurityContext{ - SELinuxOptions: config.SELinuxOptions, - }, - VolumeMounts: []api.VolumeMount{ - { - Name: volumeName, - }, - }, - }, - }, - } - } - if config.idempotent { physicalMounter.MountPoints = []mount.MountPoint{ { @@ -258,7 +209,7 @@ func TestPluginBackCompat(t *testing.T) { } defer os.RemoveAll(basePath) - plug := makePluginUnderTest(t, "kubernetes.io/empty-dir", basePath, "" /* rootContext */) + plug := makePluginUnderTest(t, "kubernetes.io/empty-dir", basePath) spec := &api.Volume{ Name: "vol1", @@ -287,7 +238,7 @@ func TestMetrics(t *testing.T) { } defer os.RemoveAll(tmpDir) - plug := makePluginUnderTest(t, "kubernetes.io/empty-dir", tmpDir, "" /* rootContext */) + plug := makePluginUnderTest(t, "kubernetes.io/empty-dir", tmpDir) spec := &api.Volume{ Name: "vol1", diff --git a/pkg/volume/empty_dir/empty_dir_unsupported.go b/pkg/volume/empty_dir/empty_dir_unsupported.go index 32ab046f1ba..c389ace7c30 100644 --- a/pkg/volume/empty_dir/empty_dir_unsupported.go +++ b/pkg/volume/empty_dir/empty_dir_unsupported.go @@ -30,7 +30,3 @@ type realMountDetector struct { func (m *realMountDetector) GetMountMedium(path string) (storageMedium, bool, error) { return mediumUnknown, false, nil } - -func selinuxEnabled() bool { - return false -}