mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-02 16:29:21 +00:00
Merge pull request #50843 from TerraTech/fvs-selinuxRelabel-init-1.8.x
Automatic merge from submit-queue (batch tested with PRs 51105, 51097, 51110, 50843, 51107) FlexVolume: Add ability to control 'SupportsSELinux' during driver's init phase **What this PR does / why we need it**: Adds the ability to disable FlexVolume SELinux relabeling for filesystems that don't support it, e.g. fuse **Which issue this PR fixes**: This was reported in: https://github.com/lizardfs/lizardfs/issues/581 This is a reworked solution as per feedback from #50548 https://github.com/kubernetes/kubernetes/pull/50548#issuecomment-322328679 **Special notes for your reviewer**: /assign @thockin /cc @chakri-nelluri @verult @saad-ali **Release note**: ```release-note NONE ```
This commit is contained in:
Kubernetes Submit Queue
GitHub
commit
4fb6c2891c
@ -59,7 +59,8 @@ const (
|
|||||||
|
|
||||||
optionKeyServiceAccountName = "kubernetes.io/serviceAccount.name"
|
optionKeyServiceAccountName = "kubernetes.io/serviceAccount.name"
|
||||||
|
|
||||||
attachCapability = "attach"
|
attachCapability = "attach"
|
||||||
|
selinuxRelabelCapability = "selinuxRelabel"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@ -82,6 +83,11 @@ type DriverCall struct {
|
|||||||
args []string
|
args []string
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type driverCapabilities struct {
|
||||||
|
attach bool
|
||||||
|
selinuxRelabel bool
|
||||||
|
}
|
||||||
|
|
||||||
func (plugin *flexVolumePlugin) NewDriverCall(command string) *DriverCall {
|
func (plugin *flexVolumePlugin) NewDriverCall(command string) *DriverCall {
|
||||||
return plugin.NewDriverCallWithTimeout(command, 0)
|
return plugin.NewDriverCallWithTimeout(command, 0)
|
||||||
}
|
}
|
||||||
@ -235,3 +241,23 @@ func handleCmdResponse(cmd string, output []byte) (*DriverStatus, error) {
|
|||||||
|
|
||||||
return &status, nil
|
return &status, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// getDriverCapabilities returns the reported capabilities as returned by driver's init() function
|
||||||
|
func (ds *DriverStatus) getDriverCapabilities() *driverCapabilities {
|
||||||
|
driverCaps := &driverCapabilities{
|
||||||
|
attach: true,
|
||||||
|
selinuxRelabel: true,
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check if driver supports SELinux Relabeling of mounted volume
|
||||||
|
if dcap, ok := ds.Capabilities[selinuxRelabelCapability]; ok {
|
||||||
|
driverCaps.selinuxRelabel = dcap
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check whether the plugin is attachable.
|
||||||
|
if dcap, ok := ds.Capabilities[attachCapability]; ok {
|
||||||
|
driverCaps.attach = dcap
|
||||||
|
}
|
||||||
|
|
||||||
|
return driverCaps
|
||||||
|
}
|
||||||
|
|||||||
@ -47,7 +47,7 @@ func (f *mounterDefaults) GetAttributes() volume.Attributes {
|
|||||||
return volume.Attributes{
|
return volume.Attributes{
|
||||||
ReadOnly: f.readOnly,
|
ReadOnly: f.readOnly,
|
||||||
Managed: !f.readOnly,
|
Managed: !f.readOnly,
|
||||||
SupportsSELinux: true,
|
SupportsSELinux: f.flexVolume.plugin.capabilities.selinuxRelabel,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -42,6 +42,7 @@ type flexVolumePlugin struct {
|
|||||||
runner exec.Interface
|
runner exec.Interface
|
||||||
|
|
||||||
sync.Mutex
|
sync.Mutex
|
||||||
|
capabilities *driverCapabilities
|
||||||
unsupportedCommands []string
|
unsupportedCommands []string
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -64,44 +65,29 @@ func NewFlexVolumePlugin(pluginDir, name string) (volume.VolumePlugin, error) {
|
|||||||
unsupportedCommands: []string{},
|
unsupportedCommands: []string{},
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check whether the plugin is attachable.
|
// Retrieve driver reported capabilities
|
||||||
ok, err := isAttachable(flexPlugin)
|
call := flexPlugin.NewDriverCall(initCmd)
|
||||||
|
ds, err := call.Run()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if ok {
|
driverCaps := ds.getDriverCapabilities()
|
||||||
// Plugin supports attach/detach, so return flexVolumeAttachablePlugin
|
flexPlugin.capabilities = driverCaps
|
||||||
|
|
||||||
|
// Check whether the plugin is attachable.
|
||||||
|
if driverCaps.attach {
|
||||||
|
// Plugin supports attach/detach by default, so return flexVolumeAttachablePlugin
|
||||||
return &flexVolumeAttachablePlugin{flexVolumePlugin: flexPlugin}, nil
|
return &flexVolumeAttachablePlugin{flexVolumePlugin: flexPlugin}, nil
|
||||||
} else {
|
} else {
|
||||||
return flexPlugin, nil
|
return flexPlugin, nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func isAttachable(plugin *flexVolumePlugin) (bool, error) {
|
|
||||||
call := plugin.NewDriverCall(initCmd)
|
|
||||||
res, err := call.Run()
|
|
||||||
if err != nil {
|
|
||||||
return false, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// By default all plugins are attachable, unless they report otherwise.
|
|
||||||
cap, ok := res.Capabilities[attachCapability]
|
|
||||||
if ok {
|
|
||||||
// cap is false, so plugin does not support attach/detach calls.
|
|
||||||
return cap, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
return true, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Init is part of the volume.VolumePlugin interface.
|
// Init is part of the volume.VolumePlugin interface.
|
||||||
func (plugin *flexVolumePlugin) Init(host volume.VolumeHost) error {
|
func (plugin *flexVolumePlugin) Init(host volume.VolumeHost) error {
|
||||||
plugin.host = host
|
// Hardwired 'success' as any errors from calling init() will be caught by NewFlexVolumePlugin()
|
||||||
// call the init script
|
return nil
|
||||||
call := plugin.NewDriverCall(initCmd)
|
|
||||||
_, err := call.Run()
|
|
||||||
return err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (plugin *flexVolumePlugin) getExecutable() string {
|
func (plugin *flexVolumePlugin) getExecutable() string {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user