Rename SupportsSELinux to SELinuxRelabel

The field in fact says that the container runtime should relabel a volume when running a container with it, it does not say that the volume supports SELinux. For example, NFS can support SELinux, but we don't want NFS volumes relabeled, because they can be shared among several Pods.
2025-08-02 16:29:21 +00:00 · 2022-02-11 10:45:29 +01:00 · 2022-02-11 10:45:29 +01:00 · 525b8e5cd6
commit 525b8e5cd6
parent a06e272124
29 changed files with 94 additions and 93 deletions
--- a/pkg/kubelet/kubelet_pods.go
+++ b/pkg/kubelet/kubelet_pods.go
@ -175,7 +175,7 @@ func makeMounts(pod *v1.Pod, podDir string, container *v1.Container, hostName, h
 		// If the volume supports SELinux and it has not been
 		// relabeled already and it is not a read-only volume,
 		// relabel it and mark it as labeled
-		if vol.Mounter.GetAttributes().Managed && vol.Mounter.GetAttributes().SupportsSELinux && !vol.SELinuxLabeled {
+		if vol.Mounter.GetAttributes().Managed && vol.Mounter.GetAttributes().SELinuxRelabel && !vol.SELinuxLabeled {
 			vol.SELinuxLabeled = true
 			relabelVolume = true
 		}
--- a/pkg/volume/awsebs/aws_ebs.go
+++ b/pkg/volume/awsebs/aws_ebs.go
@ -352,7 +352,7 @@ func (b *awsElasticBlockStoreMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       b.readOnly,
 		Managed:        !b.readOnly,
-		SupportsSELinux: true,
+		SELinuxRelabel: true,
 	}
 }

--- a/pkg/volume/azure_file/azure_file.go
+++ b/pkg/volume/azure_file/azure_file.go
@ -241,7 +241,7 @@ func (b *azureFileMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       b.readOnly,
 		Managed:        !b.readOnly,
-		SupportsSELinux: false,
+		SELinuxRelabel: false,
 	}
 }

--- a/pkg/volume/azuredd/azure_mounter.go
+++ b/pkg/volume/azuredd/azure_mounter.go
@ -58,7 +58,7 @@ func (m *azureDiskMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       readOnly,
 		Managed:        !readOnly,
-		SupportsSELinux: true,
+		SELinuxRelabel: true,
 	}
 }

--- a/pkg/volume/cephfs/cephfs.go
+++ b/pkg/volume/cephfs/cephfs.go
@ -208,7 +208,7 @@ func (cephfsVolume *cephfsMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       cephfsVolume.readonly,
 		Managed:        false,
-		SupportsSELinux: false,
+		SELinuxRelabel: false,
 	}
 }

--- a/pkg/volume/cinder/cinder.go
+++ b/pkg/volume/cinder/cinder.go
@ -373,7 +373,7 @@ func (b *cinderVolumeMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       b.readOnly,
 		Managed:        !b.readOnly,
-		SupportsSELinux: true,
+		SELinuxRelabel: true,
 	}
 }

--- a/pkg/volume/configmap/configmap.go
+++ b/pkg/volume/configmap/configmap.go
@ -159,7 +159,7 @@ func (sv *configMapVolume) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       true,
 		Managed:        true,
-		SupportsSELinux: true,
+		SELinuxRelabel: true,
 	}
 }

--- a/pkg/volume/csi/csi_mounter.go
+++ b/pkg/volume/csi/csi_mounter.go
@ -354,7 +354,7 @@ func (c *csiMountMgr) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       c.readOnly,
 		Managed:        !c.readOnly,
-		SupportsSELinux: c.supportsSELinux,
+		SELinuxRelabel: c.supportsSELinux,
 	}
 }

--- a/pkg/volume/downwardapi/downwardapi.go
+++ b/pkg/volume/downwardapi/downwardapi.go
@ -155,7 +155,7 @@ func (d *downwardAPIVolume) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       true,
 		Managed:        true,
-		SupportsSELinux: true,
+		SELinuxRelabel: true,
 	}
 }

--- a/pkg/volume/emptydir/empty_dir.go
+++ b/pkg/volume/emptydir/empty_dir.go
@ -221,7 +221,7 @@ func (ed *emptyDir) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       false,
 		Managed:        true,
-		SupportsSELinux: true,
+		SELinuxRelabel: true,
 	}
 }

--- a/pkg/volume/fc/fc.go
+++ b/pkg/volume/fc/fc.go
@ -366,7 +366,7 @@ func (b *fcDiskMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       b.readOnly,
 		Managed:        !b.readOnly,
-		SupportsSELinux: true,
+		SELinuxRelabel: true,
 	}
 }

--- a/pkg/volume/flexvolume/mounter-defaults.go
+++ b/pkg/volume/flexvolume/mounter-defaults.go
@ -47,7 +47,7 @@ func (f *mounterDefaults) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       f.readOnly,
 		Managed:        !f.readOnly,
-		SupportsSELinux: f.flexVolume.plugin.capabilities.SELinuxRelabel,
+		SELinuxRelabel: f.flexVolume.plugin.capabilities.SELinuxRelabel,
 	}
 }

--- a/pkg/volume/flocker/flocker.go
+++ b/pkg/volume/flocker/flocker.go
@ -216,7 +216,7 @@ func (b *flockerVolumeMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       b.readOnly,
 		Managed:        false,
-		SupportsSELinux: false,
+		SELinuxRelabel: false,
 	}
 }

--- a/pkg/volume/gcepd/gce_pd.go
+++ b/pkg/volume/gcepd/gce_pd.go
@ -356,7 +356,7 @@ func (b *gcePersistentDiskMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       b.readOnly,
 		Managed:        !b.readOnly,
-		SupportsSELinux: true,
+		SELinuxRelabel: true,
 	}
 }

--- a/pkg/volume/git_repo/git_repo.go
+++ b/pkg/volume/git_repo/git_repo.go
@ -163,7 +163,7 @@ func (b *gitRepoVolumeMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       false,
 		Managed:        true,
-		SupportsSELinux: true, // xattr change should be okay, TODO: double check
+		SELinuxRelabel: true, // xattr change should be okay, TODO: double check
 	}
 }

--- a/pkg/volume/glusterfs/glusterfs.go
+++ b/pkg/volume/glusterfs/glusterfs.go
@ -253,7 +253,7 @@ func (b *glusterfsMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       b.readOnly,
 		Managed:        false,
-		SupportsSELinux: false,
+		SELinuxRelabel: false,
 	}
 }

--- a/pkg/volume/hostpath/host_path.go
+++ b/pkg/volume/hostpath/host_path.go
@ -214,7 +214,7 @@ func (b *hostPathMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       b.readOnly,
 		Managed:        false,
-		SupportsSELinux: false,
+		SELinuxRelabel: false,
 	}
 }

--- a/pkg/volume/iscsi/iscsi.go
+++ b/pkg/volume/iscsi/iscsi.go
@ -348,7 +348,7 @@ func (b *iscsiDiskMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       b.readOnly,
 		Managed:        !b.readOnly,
-		SupportsSELinux: true,
+		SELinuxRelabel: true,
 	}
 }

--- a/pkg/volume/local/local.go
+++ b/pkg/volume/local/local.go
@ -506,7 +506,7 @@ func (m *localVolumeMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       m.readOnly,
 		Managed:        !m.readOnly,
-		SupportsSELinux: true,
+		SELinuxRelabel: true,
 	}
 }

--- a/pkg/volume/nfs/nfs.go
+++ b/pkg/volume/nfs/nfs.go
@ -18,11 +18,12 @@ package nfs

 import (
 	"fmt"
-	netutil "k8s.io/utils/net"
 	"os"
 	"runtime"
 	"time"

+	netutil "k8s.io/utils/net"
+
 	"k8s.io/klog/v2"
 	"k8s.io/mount-utils"
 	utilstrings "k8s.io/utils/strings"
@ -234,7 +235,7 @@ func (nfsMounter *nfsMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       nfsMounter.readOnly,
 		Managed:        false,
-		SupportsSELinux: false,
+		SELinuxRelabel: false,
 	}
 }

--- a/pkg/volume/portworx/portworx.go
+++ b/pkg/volume/portworx/portworx.go
@ -18,10 +18,11 @@ package portworx

 import (
 	"fmt"
+	"os"
+
 	"k8s.io/klog/v2"
 	"k8s.io/mount-utils"
 	utilstrings "k8s.io/utils/strings"
-	"os"

 	volumeclient "github.com/libopenstorage/openstorage/api/client/volume"
 	v1 "k8s.io/api/core/v1"
@ -289,7 +290,7 @@ func (b *portworxVolumeMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       b.readOnly,
 		Managed:        !b.readOnly,
-		SupportsSELinux: false,
+		SELinuxRelabel: false,
 	}
 }

--- a/pkg/volume/projected/projected.go
+++ b/pkg/volume/projected/projected.go
@ -170,7 +170,7 @@ func (sv *projectedVolume) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       true,
 		Managed:        true,
-		SupportsSELinux: true,
+		SELinuxRelabel: true,
 	}

 }
--- a/pkg/volume/quobyte/quobyte.go
+++ b/pkg/volume/quobyte/quobyte.go
@ -227,7 +227,7 @@ func (mounter *quobyteMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       mounter.readOnly,
 		Managed:        false,
-		SupportsSELinux: false,
+		SELinuxRelabel: false,
 	}
 }

--- a/pkg/volume/rbd/rbd.go
+++ b/pkg/volume/rbd/rbd.go
@ -19,28 +19,27 @@ package rbd
 import (
 	"context"
 	"fmt"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	"k8s.io/kubernetes/pkg/features"
 	"os"
 	"path/filepath"
 	"regexp"
 	dstrings "strings"

-	"k8s.io/klog/v2"
-	"k8s.io/mount-utils"
-	utilexec "k8s.io/utils/exec"
-	utilstrings "k8s.io/utils/strings"
-
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/uuid"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/klog/v2"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/volume"
 	volutil "k8s.io/kubernetes/pkg/volume/util"
 	"k8s.io/kubernetes/pkg/volume/util/volumepathhandler"
+	"k8s.io/mount-utils"
+	utilexec "k8s.io/utils/exec"
+	utilstrings "k8s.io/utils/strings"
 )

 var (
@ -834,7 +833,7 @@ func (rbd *rbd) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       rbd.ReadOnly,
 		Managed:        !rbd.ReadOnly,
-		SupportsSELinux: true,
+		SELinuxRelabel: true,
 	}
 }

--- a/pkg/volume/secret/secret.go
+++ b/pkg/volume/secret/secret.go
@ -164,7 +164,7 @@ func (sv *secretVolume) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       true,
 		Managed:        true,
-		SupportsSELinux: true,
+		SELinuxRelabel: true,
 	}
 }

--- a/pkg/volume/storageos/storageos.go
+++ b/pkg/volume/storageos/storageos.go
@ -330,7 +330,7 @@ func (b *storageosMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
 		ReadOnly:       b.readOnly,
 		Managed:        !b.readOnly,
-		SupportsSELinux: true,
+		SELinuxRelabel: true,
 	}
 }

--- a/pkg/volume/testing/testing.go
+++ b/pkg/volume/testing/testing.go
@ -688,7 +688,7 @@ func (_ *FakeVolume) GetAttributes() Attributes {
 	return Attributes{
 		ReadOnly:       false,
 		Managed:        true,
-		SupportsSELinux: true,
+		SELinuxRelabel: true,
 	}
 }

--- a/pkg/volume/volume.go
+++ b/pkg/volume/volume.go
@ -117,7 +117,7 @@ type Metrics struct {
 type Attributes struct {
 	ReadOnly       bool
 	Managed        bool
-	SupportsSELinux bool
+	SELinuxRelabel bool
 }

 // MounterArgs provides more easily extensible arguments to Mounter
--- a/pkg/volume/vsphere_volume/vsphere_volume.go
+++ b/pkg/volume/vsphere_volume/vsphere_volume.go
@ -208,7 +208,7 @@ type vsphereVolumeMounter struct {

 func (b *vsphereVolumeMounter) GetAttributes() volume.Attributes {
 	return volume.Attributes{
-		SupportsSELinux: true,
+		SELinuxRelabel: true,
 		Managed:        true,
 	}
 }