From a01e720a1a7def301cbd28cb7329ece5bf362114 Mon Sep 17 00:00:00 2001 From: Jan Safranek Date: Fri, 29 Jul 2022 10:38:51 +0200 Subject: [PATCH] Rename IsRWOP To be able to update content of the function to other access modes when we implement SELinux mount for more of them. --- .../cache/actual_state_of_world.go | 2 +- .../cache/desired_state_of_world.go | 19 +++++++++---------- pkg/volume/util/selinux.go | 7 ++++++- 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/pkg/kubelet/volumemanager/cache/actual_state_of_world.go b/pkg/kubelet/volumemanager/cache/actual_state_of_world.go index 4b84c5f9f48..e23dc4dad7d 100644 --- a/pkg/kubelet/volumemanager/cache/actual_state_of_world.go +++ b/pkg/kubelet/volumemanager/cache/actual_state_of_world.go @@ -822,7 +822,7 @@ func (asw *actualStateOfWorld) PodExistsInVolume(podName volumetypes.UniquePodNa // The volume is mounted, check its SELinux context mount option if *volumeObj.seLinuxMountContext != seLinuxLabel { fullErr := newSELinuxMountMismatchError(volumeName) - if util.IsRWOP(volumeObj.spec) { + if util.VolumeSupportsSELinuxMount(volumeObj.spec) { return false, volumeObj.devicePath, fullErr } } diff --git a/pkg/kubelet/volumemanager/cache/desired_state_of_world.go b/pkg/kubelet/volumemanager/cache/desired_state_of_world.go index 37b0b96b44b..b8aad587047 100644 --- a/pkg/kubelet/volumemanager/cache/desired_state_of_world.go +++ b/pkg/kubelet/volumemanager/cache/desired_state_of_world.go @@ -307,7 +307,7 @@ func (dsw *desiredStateOfWorld) AddPodToVolume( } } } - if !util.IsRWOP(volumeSpec) { + if !util.VolumeSupportsSELinuxMount(volumeSpec) { // Clear SELinux label for the volume with unsupported access modes. seLinuxFileLabel = "" } @@ -339,8 +339,8 @@ func (dsw *desiredStateOfWorld) AddPodToVolume( if seLinuxFileLabel != vol.seLinuxFileLabel { // TODO: update the error message after tests, e.g. add at least the conflicting pod names. fullErr := fmt.Errorf("conflicting SELinux labels of volume %s: %q and %q", volumeSpec.Name(), vol.seLinuxFileLabel, seLinuxFileLabel) - isRWOP := util.IsRWOP(volumeSpec) - if err := handlerSELinuxMetricError(fullErr, isRWOP, seLinuxVolumeContextMismatchWarnings, seLinuxVolumeContextMismatchErrors); err != nil { + supported := util.VolumeSupportsSELinuxMount(volumeSpec) + if err := handleSELinuxMetricError(fullErr, supported, seLinuxVolumeContextMismatchWarnings, seLinuxVolumeContextMismatchErrors); err != nil { return "", err } } else { @@ -385,7 +385,7 @@ func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinux if err != nil { return "", false, err } - isRWOP := util.IsRWOP(volumeSpec) + seLinuxSupported := util.VolumeSupportsSELinuxMount(volumeSpec) if pluginSupportsSELinuxContextMount { // Ensure that a volume that can be mounted with "-o context=XYZ" is // used only by containers with the same SELinux contexts. @@ -393,7 +393,7 @@ func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinux newLabel, err := dsw.seLinuxTranslator.SELinuxOptionsToFileLabel(containerContext) if err != nil { fullErr := fmt.Errorf("failed to construct SELinux label from context %q: %s", containerContext, err) - if err := handlerSELinuxMetricError(fullErr, isRWOP, seLinuxContainerContextWarnings, seLinuxContainerContextErrors); err != nil { + if err := handleSELinuxMetricError(fullErr, seLinuxSupported, seLinuxContainerContextWarnings, seLinuxContainerContextErrors); err != nil { return "", false, err } } @@ -403,7 +403,7 @@ func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinux } if seLinuxFileLabel != newLabel { fullErr := fmt.Errorf("volume %s is used with two different SELinux contexts in the same pod: %q, %q", volumeSpec.Name(), seLinuxFileLabel, newLabel) - if err := handlerSELinuxMetricError(fullErr, isRWOP, seLinuxPodContextMismatchWarnings, seLinuxPodContextMismatchErrors); err != nil { + if err := handleSELinuxMetricError(fullErr, seLinuxSupported, seLinuxPodContextMismatchWarnings, seLinuxPodContextMismatchErrors); err != nil { return "", false, err } } @@ -622,14 +622,13 @@ func (dsw *desiredStateOfWorld) getSELinuxMountSupport(volumeSpec *volume.Spec) } // Based on isRWOP, bump the right warning / error metric and either consume the error or return it. -func handlerSELinuxMetricError(err error, isRWOP bool, warningMetric, errorMetric *metrics.Gauge) error { - if isRWOP { - // Cannot mount with -o context if the context can't be composed. +func handleSELinuxMetricError(err error, seLinuxSupported bool, warningMetric, errorMetric *metrics.Gauge) error { + if seLinuxSupported { errorMetric.Add(1.0) return err } - // This is not an error yet, but it will be when support for RWO and RWX volumes is added + // This is not an error yet, but it will be when support for other access modes is added. warningMetric.Add(1.0) klog.V(4).ErrorS(err, "Please report this error in https://github.com/kubernetes/enhancements/issues/1710, together with full Pod yaml file") return nil diff --git a/pkg/volume/util/selinux.go b/pkg/volume/util/selinux.go index cd537610607..22854734f30 100644 --- a/pkg/volume/util/selinux.go +++ b/pkg/volume/util/selinux.go @@ -166,10 +166,15 @@ func SupportsSELinuxContextMount(volumeSpec *volume.Spec, volumePluginMgr *volum return false, nil } -func IsRWOP(volumeSpec *volume.Spec) bool { +// VolumeSupportsSELinuxMount returns true if given volume access mode can support mount with SELinux mount options. +func VolumeSupportsSELinuxMount(volumeSpec *volume.Spec) bool { + // Right now, SELinux mount is supported only for ReadWriteOncePod volumes. if !utilfeature.DefaultFeatureGate.Enabled(features.ReadWriteOncePod) { return false } + if !utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) { + return false + } if volumeSpec.PersistentVolume == nil { return false }