github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 20:24:09 +00:00
Code Issues Projects Releases Wiki Activity

Rename IsRWOP

Browse Source 
To be able to update content of the function to other access modes when we
implement SELinux mount for more of them.
This commit is contained in:
Jan Safranek 2022-07-29 10:38:51 +02:00
parent 1490d51028
commit a01e720a1a
3 changed files with 16 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/kubelet/volumemanager/cache/actual_state_of_world.go vendored
View File

@ -822,7 +822,7 @@ func (asw *actualStateOfWorld) PodExistsInVolume(podName volumetypes.UniquePodNa
// The volume is mounted, check its SELinux context mount option // The volume is mounted, check its SELinux context mount option
if *volumeObj.seLinuxMountContext != seLinuxLabel { if *volumeObj.seLinuxMountContext != seLinuxLabel {
fullErr := newSELinuxMountMismatchError(volumeName) fullErr := newSELinuxMountMismatchError(volumeName)
if util.IsRWOP(volumeObj.spec) { if util.VolumeSupportsSELinuxMount(volumeObj.spec) {
return false, volumeObj.devicePath, fullErr return false, volumeObj.devicePath, fullErr
} }
} }

19
pkg/kubelet/volumemanager/cache/desired_state_of_world.go vendored
View File

@ -307,7 +307,7 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
} }
} }
} }
if !util.IsRWOP(volumeSpec) { if !util.VolumeSupportsSELinuxMount(volumeSpec) {
// Clear SELinux label for the volume with unsupported access modes. // Clear SELinux label for the volume with unsupported access modes.
seLinuxFileLabel = "" seLinuxFileLabel = ""
} }
@ -339,8 +339,8 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
if seLinuxFileLabel != vol.seLinuxFileLabel { if seLinuxFileLabel != vol.seLinuxFileLabel {
// TODO: update the error message after tests, e.g. add at least the conflicting pod names. // TODO: update the error message after tests, e.g. add at least the conflicting pod names.
fullErr := fmt.Errorf("conflicting SELinux labels of volume %s: %q and %q", volumeSpec.Name(), vol.seLinuxFileLabel, seLinuxFileLabel) fullErr := fmt.Errorf("conflicting SELinux labels of volume %s: %q and %q", volumeSpec.Name(), vol.seLinuxFileLabel, seLinuxFileLabel)
isRWOP := util.IsRWOP(volumeSpec) supported := util.VolumeSupportsSELinuxMount(volumeSpec)
if err := handlerSELinuxMetricError(fullErr, isRWOP, seLinuxVolumeContextMismatchWarnings, seLinuxVolumeContextMismatchErrors); err != nil { if err := handleSELinuxMetricError(fullErr, supported, seLinuxVolumeContextMismatchWarnings, seLinuxVolumeContextMismatchErrors); err != nil {
return "", err return "", err
} }
} else { } else {
@ -385,7 +385,7 @@ func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinux
if err != nil { if err != nil {
return "", false, err return "", false, err
} }
isRWOP := util.IsRWOP(volumeSpec) seLinuxSupported := util.VolumeSupportsSELinuxMount(volumeSpec)
if pluginSupportsSELinuxContextMount { if pluginSupportsSELinuxContextMount {
// Ensure that a volume that can be mounted with "-o context=XYZ" is // Ensure that a volume that can be mounted with "-o context=XYZ" is
// used only by containers with the same SELinux contexts. // used only by containers with the same SELinux contexts.
@ -393,7 +393,7 @@ func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinux
newLabel, err := dsw.seLinuxTranslator.SELinuxOptionsToFileLabel(containerContext) newLabel, err := dsw.seLinuxTranslator.SELinuxOptionsToFileLabel(containerContext)
if err != nil { if err != nil {
fullErr := fmt.Errorf("failed to construct SELinux label from context %q: %s", containerContext, err) fullErr := fmt.Errorf("failed to construct SELinux label from context %q: %s", containerContext, err)
if err := handlerSELinuxMetricError(fullErr, isRWOP, seLinuxContainerContextWarnings, seLinuxContainerContextErrors); err != nil { if err := handleSELinuxMetricError(fullErr, seLinuxSupported, seLinuxContainerContextWarnings, seLinuxContainerContextErrors); err != nil {
return "", false, err return "", false, err
} }
} }
@ -403,7 +403,7 @@ func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinux
} }
if seLinuxFileLabel != newLabel { if seLinuxFileLabel != newLabel {
fullErr := fmt.Errorf("volume %s is used with two different SELinux contexts in the same pod: %q, %q", volumeSpec.Name(), seLinuxFileLabel, newLabel) fullErr := fmt.Errorf("volume %s is used with two different SELinux contexts in the same pod: %q, %q", volumeSpec.Name(), seLinuxFileLabel, newLabel)
if err := handlerSELinuxMetricError(fullErr, isRWOP, seLinuxPodContextMismatchWarnings, seLinuxPodContextMismatchErrors); err != nil { if err := handleSELinuxMetricError(fullErr, seLinuxSupported, seLinuxPodContextMismatchWarnings, seLinuxPodContextMismatchErrors); err != nil {
return "", false, err return "", false, err
} }
} }
@ -622,14 +622,13 @@ func (dsw *desiredStateOfWorld) getSELinuxMountSupport(volumeSpec *volume.Spec)
} }
// Based on isRWOP, bump the right warning / error metric and either consume the error or return it. // Based on isRWOP, bump the right warning / error metric and either consume the error or return it.
func handlerSELinuxMetricError(err error, isRWOP bool, warningMetric, errorMetric *metrics.Gauge) error { func handleSELinuxMetricError(err error, seLinuxSupported bool, warningMetric, errorMetric *metrics.Gauge) error {
if isRWOP { if seLinuxSupported {
// Cannot mount with -o context if the context can't be composed.
errorMetric.Add(1.0) errorMetric.Add(1.0)
return err return err
} }
// This is not an error yet, but it will be when support for RWO and RWX volumes is added // This is not an error yet, but it will be when support for other access modes is added.
warningMetric.Add(1.0) warningMetric.Add(1.0)
klog.V(4).ErrorS(err, "Please report this error in https://github.com/kubernetes/enhancements/issues/1710, together with full Pod yaml file") klog.V(4).ErrorS(err, "Please report this error in https://github.com/kubernetes/enhancements/issues/1710, together with full Pod yaml file")
return nil return nil

7
pkg/volume/util/selinux.go
View File

@ -166,10 +166,15 @@ func SupportsSELinuxContextMount(volumeSpec *volume.Spec, volumePluginMgr *volum
return false, nil return false, nil
} }
func IsRWOP(volumeSpec *volume.Spec) bool { // VolumeSupportsSELinuxMount returns true if given volume access mode can support mount with SELinux mount options.
func VolumeSupportsSELinuxMount(volumeSpec *volume.Spec) bool {
// Right now, SELinux mount is supported only for ReadWriteOncePod volumes.
if !utilfeature.DefaultFeatureGate.Enabled(features.ReadWriteOncePod) { if !utilfeature.DefaultFeatureGate.Enabled(features.ReadWriteOncePod) {
return false return false
} }
if !utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
return false
}
if volumeSpec.PersistentVolume == nil { if volumeSpec.PersistentVolume == nil {
return false return false
} }