mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 19:56:01 +00:00
Merge pull request #105934 from jsafrane/dont-ignore-selinux
Don't guess SELinux support on error
This commit is contained in:
commit
6d9008b1b0
@ -276,7 +276,8 @@ func (c *csiMountMgr) SetUpAt(dir string, mounterArgs volume.MounterArgs) error
|
|||||||
|
|
||||||
c.supportsSELinux, err = c.kubeVolHost.GetHostUtil().GetSELinuxSupport(dir)
|
c.supportsSELinux, err = c.kubeVolHost.GetHostUtil().GetSELinuxSupport(dir)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.V(2).Info(log("error checking for SELinux support: %s", err))
|
// The volume is mounted. Return UncertainProgressError, so kubelet will unmount it when user deletes the pod.
|
||||||
|
return volumetypes.NewUncertainProgressError(fmt.Sprintf("error checking for SELinux support: %s", err))
|
||||||
}
|
}
|
||||||
|
|
||||||
if !driverSupportsCSIVolumeMountGroup && c.supportsFSGroup(fsType, mounterArgs.FsGroup, c.fsGroupPolicy) {
|
if !driverSupportsCSIVolumeMountGroup && c.supportsFSGroup(fsType, mounterArgs.FsGroup, c.fsGroupPolicy) {
|
||||||
|
@ -108,7 +108,7 @@ func (hu *FakeHostUtil) GetOwner(pathname string) (int64, int64, error) {
|
|||||||
// GetSELinuxSupport tests if pathname is on a mount that supports SELinux.
|
// GetSELinuxSupport tests if pathname is on a mount that supports SELinux.
|
||||||
// Not implemented for testing
|
// Not implemented for testing
|
||||||
func (hu *FakeHostUtil) GetSELinuxSupport(pathname string) (bool, error) {
|
func (hu *FakeHostUtil) GetSELinuxSupport(pathname string) (bool, error) {
|
||||||
return false, errors.New("GetSELinuxSupport not implemented")
|
return false, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetMode returns permissions of pathname.
|
// GetMode returns permissions of pathname.
|
||||||
|
@ -29,6 +29,7 @@ import (
|
|||||||
|
|
||||||
"golang.org/x/sys/unix"
|
"golang.org/x/sys/unix"
|
||||||
"k8s.io/klog/v2"
|
"k8s.io/klog/v2"
|
||||||
|
"k8s.io/kubernetes/pkg/util/selinux"
|
||||||
"k8s.io/mount-utils"
|
"k8s.io/mount-utils"
|
||||||
utilpath "k8s.io/utils/path"
|
utilpath "k8s.io/utils/path"
|
||||||
)
|
)
|
||||||
@ -230,8 +231,16 @@ func DoMakeRShared(path string, mountInfoFilename string) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// selinux.SELinuxEnabled implementation for unit tests
|
||||||
|
type seLinuxEnabledFunc func() bool
|
||||||
|
|
||||||
// GetSELinux is common implementation of GetSELinuxSupport on Linux.
|
// GetSELinux is common implementation of GetSELinuxSupport on Linux.
|
||||||
func GetSELinux(path string, mountInfoFilename string) (bool, error) {
|
func GetSELinux(path string, mountInfoFilename string, selinuxEnabled seLinuxEnabledFunc) (bool, error) {
|
||||||
|
// Skip /proc/mounts parsing if SELinux is disabled.
|
||||||
|
if !selinuxEnabled() {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
|
||||||
info, err := findMountInfo(path, mountInfoFilename)
|
info, err := findMountInfo(path, mountInfoFilename)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return false, err
|
return false, err
|
||||||
@ -254,7 +263,7 @@ func GetSELinux(path string, mountInfoFilename string) (bool, error) {
|
|||||||
// GetSELinuxSupport returns true if given path is on a mount that supports
|
// GetSELinuxSupport returns true if given path is on a mount that supports
|
||||||
// SELinux.
|
// SELinux.
|
||||||
func (hu *HostUtil) GetSELinuxSupport(pathname string) (bool, error) {
|
func (hu *HostUtil) GetSELinuxSupport(pathname string) (bool, error) {
|
||||||
return GetSELinux(pathname, procMountInfoPath)
|
return GetSELinux(pathname, procMountInfoPath, selinux.SELinuxEnabled)
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetOwner returns the integer ID for the user and group of the given path
|
// GetOwner returns the integer ID for the user and group of the given path
|
||||||
|
@ -157,27 +157,37 @@ func TestGetSELinuxSupport(t *testing.T) {
|
|||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
mountPoint string
|
mountPoint string
|
||||||
|
selinuxEnabled bool
|
||||||
expectedResult bool
|
expectedResult bool
|
||||||
}{
|
}{
|
||||||
|
{
|
||||||
|
"ext4 on / with disabled SELinux",
|
||||||
|
"/",
|
||||||
|
false,
|
||||||
|
false,
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"ext4 on /",
|
"ext4 on /",
|
||||||
"/",
|
"/",
|
||||||
true,
|
true,
|
||||||
|
true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"tmpfs on /var/lib/bar",
|
"tmpfs on /var/lib/bar",
|
||||||
"/var/lib/bar",
|
"/var/lib/bar",
|
||||||
|
true,
|
||||||
false,
|
false,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"nfsv4",
|
"nfsv4",
|
||||||
"/media/nfs_vol",
|
"/media/nfs_vol",
|
||||||
|
true,
|
||||||
false,
|
false,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
out, err := GetSELinux(test.mountPoint, filename)
|
out, err := GetSELinux(test.mountPoint, filename, func() bool { return test.selinuxEnabled })
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("Test %s failed with error: %s", test.name, err)
|
t.Errorf("Test %s failed with error: %s", test.name, err)
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user