github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-13 13:14:05 +00:00
Code Issues Projects Releases Wiki Activity

Use SELinuxChangePolicy

Browse Source
This commit is contained in:
Jan Safranek
2024-10-08 13:22:47 +02:00
parent 6ca7b959e4
commit 8a400124f9
1 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
pkg/kubelet/volumemanager/cache/desired_state_of_world.go vendored
View File

@@ -301,7 +301,7 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
volumeName = util.GetUniqueVolumeNameFromSpecWithPod(podName, volumePlugin, volumeSpec) volumeName = util.GetUniqueVolumeNameFromSpecWithPod(podName, volumePlugin, volumeSpec)
} }
seLinuxFileLabel, pluginSupportsSELinuxContextMount, err := dsw.getSELinuxLabel(volumeSpec, seLinuxContainerContexts) seLinuxFileLabel, pluginSupportsSELinuxContextMount, err := dsw.getSELinuxLabel(volumeSpec, seLinuxContainerContexts, pod.Spec.SecurityContext)
if err != nil { if err != nil {
return "", err return "", err
} }
@@ -392,7 +392,7 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
return volumeName, nil return volumeName, nil
} }
func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinuxContainerContexts []*v1.SELinuxOptions) (string, bool, error) { func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinuxContainerContexts []*v1.SELinuxOptions, podSecurityContext *v1.PodSecurityContext) (string, bool, error) {
var seLinuxFileLabel string var seLinuxFileLabel string
var pluginSupportsSELinuxContextMount bool var pluginSupportsSELinuxContextMount bool
@@ -407,6 +407,20 @@ func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinux
if err != nil { if err != nil {
return "", false, err return "", false, err
} }
if feature.DefaultFeatureGate.Enabled(features.SELinuxChangePolicy) &&
podSecurityContext != nil &&
podSecurityContext.SELinuxChangePolicy != nil &&
*podSecurityContext.SELinuxChangePolicy == v1.SELinuxChangePolicyRecursive {
// The pod has opted into recursive SELinux label changes. Do not mount with -o context.
return "", pluginSupportsSELinuxContextMount, nil
}
// Ignoring SELinuxMount feature gate:
// It allows value "SELinuxChangePolicy: MountOption" in the API server to be set.
// If the feature gate + field value is set in the API server, but the feature gate is disabled here in kubelet,
// kubelet would default to "", which means "MountOption" anyway.
seLinuxSupported := util.VolumeSupportsSELinuxMount(volumeSpec) seLinuxSupported := util.VolumeSupportsSELinuxMount(volumeSpec)
if pluginSupportsSELinuxContextMount { if pluginSupportsSELinuxContextMount {
// Ensure that a volume that can be mounted with "-o context=XYZ" is // Ensure that a volume that can be mounted with "-o context=XYZ" is
@@ -414,7 +428,7 @@ func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinux
for _, containerContext := range seLinuxContainerContexts { for _, containerContext := range seLinuxContainerContexts {
newLabel, err := dsw.seLinuxTranslator.SELinuxOptionsToFileLabel(containerContext) newLabel, err := dsw.seLinuxTranslator.SELinuxOptionsToFileLabel(containerContext)
if err != nil { if err != nil {
fullErr := fmt.Errorf("failed to construct SELinux label from context %q: %s", containerContext, err) fullErr := fmt.Errorf("failed to construct SELinux label from context %q: %w", containerContext, err)
accessMode := getVolumeAccessMode(volumeSpec) accessMode := getVolumeAccessMode(volumeSpec)
err := handleSELinuxMetricError( err := handleSELinuxMetricError(
fullErr, fullErr,