github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-05 02:09:56 +00:00
Code Issues Projects Releases Wiki Activity

Implement mounting with -o context= in iSCSI volume plugin

Browse Source
This commit is contained in:
Jan Safranek 2022-02-11 10:50:03 +01:00
parent cdb3ead5a9
commit 4cfb277e8b
3 changed files with 29 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/volume/iscsi/attacher.go
View File

@ -98,7 +98,7 @@ func (attacher *iscsiAttacher) GetDeviceMountPath(
return attacher.manager.MakeGlobalPDName(*mounter.iscsiDisk), nil return attacher.manager.MakeGlobalPDName(*mounter.iscsiDisk), nil
} }
func (attacher *iscsiAttacher) MountDevice(spec *volume.Spec, devicePath string, deviceMountPath string, _ volume.DeviceMounterArgs) error { func (attacher *iscsiAttacher) MountDevice(spec *volume.Spec, devicePath string, deviceMountPath string, mountArgs volume.DeviceMounterArgs) error {
mounter := attacher.host.GetMounter(iscsiPluginName) mounter := attacher.host.GetMounter(iscsiPluginName)
notMnt, err := mounter.IsLikelyNotMountPoint(deviceMountPath) notMnt, err := mounter.IsLikelyNotMountPoint(deviceMountPath)
if err != nil { if err != nil {
@ -120,6 +120,9 @@ func (attacher *iscsiAttacher) MountDevice(spec *volume.Spec, devicePath string,
if readOnly { if readOnly {
options = append(options, "ro") options = append(options, "ro")
} }
if mountArgs.SELinuxLabel != "" {
options = volumeutil.AddSELinuxMountOption(options, mountArgs.SELinuxLabel)
}
if notMnt { if notMnt {
diskMounter := &mount.SafeFormatAndMount{Interface: mounter, Exec: attacher.host.GetExec(iscsiPluginName)} diskMounter := &mount.SafeFormatAndMount{Interface: mounter, Exec: attacher.host.GetExec(iscsiPluginName)}
mountOptions := volumeutil.MountOptionFromSpec(spec, options...) mountOptions := volumeutil.MountOptionFromSpec(spec, options...)

22
pkg/volume/iscsi/iscsi.go
View File

@ -93,7 +93,7 @@ func (plugin *iscsiPlugin) SupportsBulkVolumeVerification() bool {
} }
func (plugin *iscsiPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { func (plugin *iscsiPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
return false, nil return true, nil
} }
func (plugin *iscsiPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode { func (plugin *iscsiPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode {
@ -336,13 +336,14 @@ func (iscsi *iscsiDisk) iscsiPodDeviceMapPath() (string, string) {
type iscsiDiskMounter struct { type iscsiDiskMounter struct {
*iscsiDisk *iscsiDisk
readOnly bool readOnly bool
fsType string fsType string
volumeMode v1.PersistentVolumeMode volumeMode v1.PersistentVolumeMode
mounter *mount.SafeFormatAndMount mounter *mount.SafeFormatAndMount
exec utilexec.Interface exec utilexec.Interface
deviceUtil ioutil.DeviceUtil deviceUtil ioutil.DeviceUtil
mountOptions []string mountOptions []string
mountedWithSELinuxContext bool
} }
var _ volume.Mounter = &iscsiDiskMounter{} var _ volume.Mounter = &iscsiDiskMounter{}
@ -351,7 +352,7 @@ func (b *iscsiDiskMounter) GetAttributes() volume.Attributes {
return volume.Attributes{ return volume.Attributes{
ReadOnly: b.readOnly, ReadOnly: b.readOnly,
Managed: !b.readOnly, Managed: !b.readOnly,
SELinuxRelabel: true, SELinuxRelabel: !b.mountedWithSELinuxContext,
} }
} }
@ -365,6 +366,9 @@ func (b *iscsiDiskMounter) SetUpAt(dir string, mounterArgs volume.MounterArgs) e
if err != nil { if err != nil {
klog.Errorf("iscsi: failed to setup") klog.Errorf("iscsi: failed to setup")
} }
// The volume must have been mounted in MountDevice with -o context.
// TODO: extract from mount table in GetAttributes() to be sure?
b.mountedWithSELinuxContext = mounterArgs.SELinuxLabel != ""
return err return err
} }

12
pkg/volume/util/util.go
View File

@ -35,11 +35,13 @@ import (
utypes "k8s.io/apimachinery/pkg/types" utypes "k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
utilfeature "k8s.io/apiserver/pkg/util/feature"
clientset "k8s.io/client-go/kubernetes" clientset "k8s.io/client-go/kubernetes"
storagehelpers "k8s.io/component-helpers/storage/volume" storagehelpers "k8s.io/component-helpers/storage/volume"
"k8s.io/klog/v2" "k8s.io/klog/v2"
"k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/api/legacyscheme"
podutil "k8s.io/kubernetes/pkg/api/v1/pod" podutil "k8s.io/kubernetes/pkg/api/v1/pod"
"k8s.io/kubernetes/pkg/features"
"k8s.io/kubernetes/pkg/securitycontext" "k8s.io/kubernetes/pkg/securitycontext"
"k8s.io/kubernetes/pkg/volume" "k8s.io/kubernetes/pkg/volume"
"k8s.io/kubernetes/pkg/volume/util/types" "k8s.io/kubernetes/pkg/volume/util/types"
@ -273,6 +275,16 @@ func JoinMountOptions(userOptions []string, systemOptions []string) []string {
return allMountOptions.List() return allMountOptions.List()
} }
// AddSELinuxMountOption adds -o context="XYZ mount option to a given list
func AddSELinuxMountOption(options []string, seLinuxContext string) []string {
if !utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
return options
}
// Use double quotes to support a comma "," in the SELinux context string.
// For example: dirsync,context="system_u:object_r:container_file_t:s0:c15,c25",noatime
return append(options, "context=%q", seLinuxContext)
}
// ContainsAccessMode returns whether the requested mode is contained by modes // ContainsAccessMode returns whether the requested mode is contained by modes
func ContainsAccessMode(modes []v1.PersistentVolumeAccessMode, mode v1.PersistentVolumeAccessMode) bool { func ContainsAccessMode(modes []v1.PersistentVolumeAccessMode, mode v1.PersistentVolumeAccessMode) bool {
for _, m := range modes { for _, m := range modes {