Run injector as privileged pod

Privileged pod can write bypass any SELinux checks. NFS, CephFS and Gluster
test now work without setting special SELinux boolean for them.
This commit is contained in:
Jan Safranek 2019-01-22 14:49:04 +01:00
parent 27e5971c11
commit 4c4401c175

View File

@ -486,6 +486,7 @@ func InjectHtml(client clientset.Interface, config VolumeTestConfig, volume v1.V
podClient := client.CoreV1().Pods(config.Namespace)
podName := fmt.Sprintf("%s-injector-%s", config.Prefix, rand.String(4))
volMountName := fmt.Sprintf("%s-volume-%s", config.Prefix, rand.String(4))
privileged := true
injectPod := &v1.Pod{
TypeMeta: metav1.TypeMeta{
@ -511,11 +512,9 @@ func InjectHtml(client clientset.Interface, config VolumeTestConfig, volume v1.V
MountPath: "/mnt",
},
},
},
},
SecurityContext: &v1.PodSecurityContext{
SELinuxOptions: &v1.SELinuxOptions{
Level: "s0:c0,c1",
SecurityContext: &v1.SecurityContext{
Privileged: &privileged,
},
},
},
RestartPolicy: v1.RestartPolicyNever,