From 8dd35100328c9ce9060aad4659cb70aa5b691cd8 Mon Sep 17 00:00:00 2001
From: Jan Safranek <jsafrane@redhat.com>
Date: Thu, 27 Oct 2022 19:04:34 +0200
Subject: [PATCH] Fix SELinux context mount with unknown context

Don't mount with SELinux mount option if kubelet does not know the SELinux
context, i.e. MounterArgs.SELinuxLabel is ""
---
 pkg/volume/csi/csi_attacher.go     | 2 +-
 pkg/volume/csi/csi_mounter.go      | 2 +-
 pkg/volume/csi/csi_mounter_test.go | 9 +++++++++
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/pkg/volume/csi/csi_attacher.go b/pkg/volume/csi/csi_attacher.go
index 57fbcb7e9c5..cf6b108251b 100644
--- a/pkg/volume/csi/csi_attacher.go
+++ b/pkg/volume/csi/csi_attacher.go
@@ -377,7 +377,7 @@ func (c *csiAttacher) MountDevice(spec *volume.Spec, devicePath string, deviceMo
 		if err != nil {
 			return errors.New(log("failed to query for SELinuxMount support: %s", err))
 		}
-		if support {
+		if support && deviceMounterArgs.SELinuxLabel != "" {
 			mountOptions = util.AddSELinuxMountOption(mountOptions, deviceMounterArgs.SELinuxLabel)
 		}
 	}
diff --git a/pkg/volume/csi/csi_mounter.go b/pkg/volume/csi/csi_mounter.go
index 6c67b6ac86b..24485d12c84 100644
--- a/pkg/volume/csi/csi_mounter.go
+++ b/pkg/volume/csi/csi_mounter.go
@@ -249,7 +249,7 @@ func (c *csiMountMgr) SetUpAt(dir string, mounterArgs volume.MounterArgs) error
 		if err != nil {
 			return errors.New(log("failed to query for SELinuxMount support: %s", err))
 		}
-		if support {
+		if support && mounterArgs.SELinuxLabel != "" {
 			mountOptions = util.AddSELinuxMountOption(mountOptions, mounterArgs.SELinuxLabel)
 			selinuxLabelMount = true
 		}
diff --git a/pkg/volume/csi/csi_mounter_test.go b/pkg/volume/csi/csi_mounter_test.go
index c260302ae0b..9584cb01195 100644
--- a/pkg/volume/csi/csi_mounter_test.go
+++ b/pkg/volume/csi/csi_mounter_test.go
@@ -182,6 +182,15 @@ func TestMounterSetUp(t *testing.T) {
 			enableSELinuxFeatureGate: true,
 			expectedVolumeContext:    nil,
 		},
+		{
+			name:                     "should not include selinux mount options, if feature gate is enabled, driver supports it, but Pod does not have it",
+			driver:                   "supports_selinux",
+			seLinuxLabel:             "",
+			expectedSELinuxContext:   "", // especially make sure the volume plugin does not use -o context="", that is an invalid value
+			volumeContext:            nil,
+			enableSELinuxFeatureGate: true,
+			expectedVolumeContext:    nil,
+		},
 	}
 
 	noPodMountInfo := false