mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
Add SELinux labels for kubelet on Fedora CoreOS
Signed-off-by: Harshal Patil <harpatil@redhat.com>
This commit is contained in:
parent
d9b576d61e
commit
a4cd6f13c8
@ -21,6 +21,7 @@ import (
|
|||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
"regexp"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
@ -101,23 +102,57 @@ func prependMemcgNotificationFlag(args string) string {
|
|||||||
return "--kubelet-flags=--kernel-memcg-notification=true " + args
|
return "--kubelet-flags=--kernel-memcg-notification=true " + args
|
||||||
}
|
}
|
||||||
|
|
||||||
// updateOSSpecificKubeletFlags updates the Kubelet args with OS specific
|
// osSpecificActions takes OS specific actions required for the node tests
|
||||||
// settings.
|
func osSpecificActions(args, host, workspace string) (string, error) {
|
||||||
func updateOSSpecificKubeletFlags(args, host, workspace string) (string, error) {
|
output, err := getOSDistribution(host)
|
||||||
output, err := SSH(host, "cat", "/etc/os-release")
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", fmt.Errorf("issue detecting node's OS via node's /etc/os-release. Err: %v, Output:\n%s", err, output)
|
return "", fmt.Errorf("issue detecting node's OS via node's /etc/os-release. Err: %v, Output:\n%s", err, output)
|
||||||
}
|
}
|
||||||
switch {
|
switch {
|
||||||
case strings.Contains(output, "ID=gci"), strings.Contains(output, "ID=cos"):
|
case strings.Contains(output, "fedora"), strings.Contains(output, "rhcos"),
|
||||||
|
strings.Contains(output, "centos"), strings.Contains(output, "rhel"):
|
||||||
|
return args, setKubeletSELinuxLabels(host, workspace)
|
||||||
|
case strings.Contains(output, "gci"), strings.Contains(output, "cos"):
|
||||||
args = prependMemcgNotificationFlag(args)
|
args = prependMemcgNotificationFlag(args)
|
||||||
return prependCOSMounterFlag(args, host, workspace)
|
return prependCOSMounterFlag(args, host, workspace)
|
||||||
case strings.Contains(output, "ID=ubuntu"):
|
case strings.Contains(output, "ubuntu"):
|
||||||
return prependMemcgNotificationFlag(args), nil
|
return prependMemcgNotificationFlag(args), nil
|
||||||
}
|
}
|
||||||
return args, nil
|
return args, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// setKubeletSELinuxLabels set the appropriate SELinux labels for the
|
||||||
|
// kubelet on Fedora CoreOS distribution
|
||||||
|
func setKubeletSELinuxLabels(host, workspace string) error {
|
||||||
|
cmd := getSSHCommand(" && ",
|
||||||
|
fmt.Sprintf("/usr/bin/chcon -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "kubelet")),
|
||||||
|
fmt.Sprintf("/usr/bin/chcon -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "e2e_node.test")),
|
||||||
|
fmt.Sprintf("/usr/bin/chcon -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "ginkgo")),
|
||||||
|
fmt.Sprintf("/usr/bin/chcon -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "mounter")),
|
||||||
|
fmt.Sprintf("/usr/bin/chcon -R -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "cni", "bin/")),
|
||||||
|
)
|
||||||
|
output, err := SSH(host, "sh", "-c", cmd)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Unable to apply SELinux labels. Err: %v, Output:\n%s", err, output)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func getOSDistribution(host string) (string, error) {
|
||||||
|
output, err := SSH(host, "cat", "/etc/os-release")
|
||||||
|
if err != nil {
|
||||||
|
return "", fmt.Errorf("issue detecting node's OS via node's /etc/os-release. Err: %v, Output:\n%s", err, output)
|
||||||
|
}
|
||||||
|
|
||||||
|
var re = regexp.MustCompile(`(?m)^ID="?(\w+)"?`)
|
||||||
|
subMatch := re.FindStringSubmatch(output)
|
||||||
|
if len(subMatch) > 0 {
|
||||||
|
return subMatch[1], nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return "", fmt.Errorf("Unable to parse os-release for the host, %s", host)
|
||||||
|
}
|
||||||
|
|
||||||
// RunTest runs test on the node.
|
// RunTest runs test on the node.
|
||||||
func (n *NodeE2ERemote) RunTest(host, workspace, results, imageDesc, junitFilePrefix, testArgs, ginkgoArgs, systemSpecName, extraEnvs string, timeout time.Duration) (string, error) {
|
func (n *NodeE2ERemote) RunTest(host, workspace, results, imageDesc, junitFilePrefix, testArgs, ginkgoArgs, systemSpecName, extraEnvs string, timeout time.Duration) (string, error) {
|
||||||
// Install the cni plugins and add a basic CNI configuration.
|
// Install the cni plugins and add a basic CNI configuration.
|
||||||
@ -134,7 +169,7 @@ func (n *NodeE2ERemote) RunTest(host, workspace, results, imageDesc, junitFilePr
|
|||||||
// Kill any running node processes
|
// Kill any running node processes
|
||||||
cleanupNodeProcesses(host)
|
cleanupNodeProcesses(host)
|
||||||
|
|
||||||
testArgs, err := updateOSSpecificKubeletFlags(testArgs, host, workspace)
|
testArgs, err := osSpecificActions(testArgs, host, workspace)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user