mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 12:43:23 +00:00
Extract SELinux context error handling into a common func
Add handlerSELinuxMetricError() which bumps the right metric + either consumes a SELinux error or lets it propagate up the stack.
This commit is contained in:
parent
4df3f58737
commit
8d6b721ddd
@ -29,6 +29,7 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/api/resource"
|
"k8s.io/apimachinery/pkg/api/resource"
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
"k8s.io/apiserver/pkg/util/feature"
|
"k8s.io/apiserver/pkg/util/feature"
|
||||||
|
"k8s.io/component-base/metrics"
|
||||||
"k8s.io/klog/v2"
|
"k8s.io/klog/v2"
|
||||||
apiv1resource "k8s.io/kubernetes/pkg/api/v1/resource"
|
apiv1resource "k8s.io/kubernetes/pkg/api/v1/resource"
|
||||||
"k8s.io/kubernetes/pkg/features"
|
"k8s.io/kubernetes/pkg/features"
|
||||||
@ -332,13 +333,8 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
|
|||||||
// TODO: update the error message after tests, e.g. add at least the conflicting pod names.
|
// TODO: update the error message after tests, e.g. add at least the conflicting pod names.
|
||||||
fullErr := fmt.Errorf("conflicting SELinux labels of volume %s: %q and %q", volumeSpec.Name(), vol.seLinuxFileLabel, seLinuxFileLabel)
|
fullErr := fmt.Errorf("conflicting SELinux labels of volume %s: %q and %q", volumeSpec.Name(), vol.seLinuxFileLabel, seLinuxFileLabel)
|
||||||
isRWOP := util.IsRWOP(volumeSpec)
|
isRWOP := util.IsRWOP(volumeSpec)
|
||||||
if isRWOP {
|
if err := handlerSELinuxMetricError(fullErr, isRWOP, seLinuxVolumeContextMismatchWarnings, seLinuxVolumeContextMismatchErrors); err != nil {
|
||||||
seLinuxVolumeContextMismatchErrors.Add(1.0)
|
return "", err
|
||||||
return "", fullErr
|
|
||||||
} else {
|
|
||||||
// This is not an error yet, but it will be when support for RWO and RWX volumes is added
|
|
||||||
seLinuxVolumeContextMismatchWarnings.Add(1.0)
|
|
||||||
klog.V(4).ErrorS(err, "Please report this error in https://github.com/kubernetes/enhancements/issues/1710, together with full Pod yaml file")
|
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if seLinuxFileLabel != "" {
|
if seLinuxFileLabel != "" {
|
||||||
@ -385,15 +381,8 @@ func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinux
|
|||||||
newLabel, err := util.SELinuxOptionsToFileLabel(containerContext)
|
newLabel, err := util.SELinuxOptionsToFileLabel(containerContext)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
fullErr := fmt.Errorf("failed to construct SELinux label from context %q: %s", containerContext, err)
|
fullErr := fmt.Errorf("failed to construct SELinux label from context %q: %s", containerContext, err)
|
||||||
if isRWOP {
|
if err := handlerSELinuxMetricError(fullErr, isRWOP, seLinuxContainerContextWarnings, seLinuxContainerContextErrors); err != nil {
|
||||||
// Cannot mount with -o context if the context can't be composed.
|
return "", false, err
|
||||||
seLinuxContainerContextErrors.Add(1.0)
|
|
||||||
return "", false, fullErr
|
|
||||||
} else {
|
|
||||||
// This is not an error yet, but it will be when support for RWO and RWX volumes is added
|
|
||||||
seLinuxContainerContextWarnings.Add(1.0)
|
|
||||||
klog.V(4).ErrorS(err, "Please report this error in https://github.com/kubernetes/enhancements/issues/1710, together with full Pod yaml file")
|
|
||||||
break
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if seLinuxFileLabel == "" {
|
if seLinuxFileLabel == "" {
|
||||||
@ -402,14 +391,8 @@ func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinux
|
|||||||
}
|
}
|
||||||
if seLinuxFileLabel != newLabel {
|
if seLinuxFileLabel != newLabel {
|
||||||
fullErr := fmt.Errorf("volume %s is used with two different SELinux contexts in the same pod: %q, %q", volumeSpec.Name(), seLinuxFileLabel, newLabel)
|
fullErr := fmt.Errorf("volume %s is used with two different SELinux contexts in the same pod: %q, %q", volumeSpec.Name(), seLinuxFileLabel, newLabel)
|
||||||
if isRWOP {
|
if err := handlerSELinuxMetricError(fullErr, isRWOP, seLinuxPodContextMismatchWarnings, seLinuxPodContextMismatchErrors); err != nil {
|
||||||
seLinuxPodContextMismatchErrors.Add(1.0)
|
return "", false, err
|
||||||
return "", false, fullErr
|
|
||||||
} else {
|
|
||||||
// This is not an error yet, but it will be when support for RWO and RWX volumes is added
|
|
||||||
seLinuxPodContextMismatchWarnings.Add(1.0)
|
|
||||||
klog.V(4).ErrorS(err, "Please report this error in https://github.com/kubernetes/enhancements/issues/1710, together with full Pod yaml file")
|
|
||||||
break
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -625,3 +608,17 @@ func (dsw *desiredStateOfWorld) MarkVolumeAttachability(volumeName v1.UniqueVolu
|
|||||||
func (dsw *desiredStateOfWorld) getSELinuxMountSupport(volumeSpec *volume.Spec) (bool, error) {
|
func (dsw *desiredStateOfWorld) getSELinuxMountSupport(volumeSpec *volume.Spec) (bool, error) {
|
||||||
return util.SupportsSELinuxContextMount(volumeSpec, dsw.volumePluginMgr)
|
return util.SupportsSELinuxContextMount(volumeSpec, dsw.volumePluginMgr)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Based on isRWOP, bump the right warning / error metric and either consume the error or return it.
|
||||||
|
func handlerSELinuxMetricError(err error, isRWOP bool, warningMetric, errorMetric *metrics.Gauge) error {
|
||||||
|
if isRWOP {
|
||||||
|
// Cannot mount with -o context if the context can't be composed.
|
||||||
|
errorMetric.Add(1.0)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// This is not an error yet, but it will be when support for RWO and RWX volumes is added
|
||||||
|
warningMetric.Add(1.0)
|
||||||
|
klog.V(4).ErrorS(err, "Please report this error in https://github.com/kubernetes/enhancements/issues/1710, together with full Pod yaml file")
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user