From 4df3f5873731ce03d71c44b3ce36d26e87b20ecd Mon Sep 17 00:00:00 2001 From: Jan Safranek Date: Thu, 28 Jul 2022 14:47:22 +0200 Subject: [PATCH] Add SELinux feature check for iSCSI volume plugin In theory the check is not necessary, but for sake of robustness and completenes, let's check SELinuxMountReadWriteOncePod feature gate before assuming anything about SELinux labels. --- pkg/volume/iscsi/iscsi.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/pkg/volume/iscsi/iscsi.go b/pkg/volume/iscsi/iscsi.go index 7390e59b341..7f24a4e32ff 100644 --- a/pkg/volume/iscsi/iscsi.go +++ b/pkg/volume/iscsi/iscsi.go @@ -24,7 +24,9 @@ import ( "strconv" "strings" + utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/klog/v2" + "k8s.io/kubernetes/pkg/features" "k8s.io/mount-utils" utilexec "k8s.io/utils/exec" "k8s.io/utils/io" @@ -366,9 +368,12 @@ func (b *iscsiDiskMounter) SetUpAt(dir string, mounterArgs volume.MounterArgs) e if err != nil { klog.Errorf("iscsi: failed to setup") } - // The volume must have been mounted in MountDevice with -o context. - // TODO: extract from mount table in GetAttributes() to be sure? - b.mountedWithSELinuxContext = mounterArgs.SELinuxLabel != "" + + if utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) { + // The volume must have been mounted in MountDevice with -o context. + // TODO: extract from mount table in GetAttributes() to be sure? + b.mountedWithSELinuxContext = mounterArgs.SELinuxLabel != "" + } return err }