diff --git a/pkg/controller/volume/attachdetach/testing/testvolumespec.go b/pkg/controller/volume/attachdetach/testing/testvolumespec.go index c9586b75dd7..0af3f0b52d4 100644 --- a/pkg/controller/volume/attachdetach/testing/testvolumespec.go +++ b/pkg/controller/volume/attachdetach/testing/testvolumespec.go @@ -483,6 +483,10 @@ func (plugin *TestPlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *TestPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *TestPlugin) GetErrorEncountered() bool { plugin.pluginLock.RLock() defer plugin.pluginLock.RUnlock() diff --git a/pkg/controller/volume/persistentvolume/framework_test.go b/pkg/controller/volume/persistentvolume/framework_test.go index ebf98ab8558..6ec4f86781c 100644 --- a/pkg/controller/volume/persistentvolume/framework_test.go +++ b/pkg/controller/volume/persistentvolume/framework_test.go @@ -970,6 +970,10 @@ func (plugin *mockVolumePlugin) ConstructVolumeSpec(volumeName, mountPath string return nil, nil } +func (plugin *mockVolumePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *mockVolumePlugin) NewMounter(spec *volume.Spec, podRef *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) { return nil, fmt.Errorf("Mounter is not supported by this plugin") } diff --git a/pkg/volume/awsebs/aws_ebs.go b/pkg/volume/awsebs/aws_ebs.go index 6d4752d17a7..c50e8e03635 100644 --- a/pkg/volume/awsebs/aws_ebs.go +++ b/pkg/volume/awsebs/aws_ebs.go @@ -100,6 +100,10 @@ func (plugin *awsElasticBlockStorePlugin) SupportsBulkVolumeVerification() bool return true } +func (plugin *awsElasticBlockStorePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *awsElasticBlockStorePlugin) GetVolumeLimits() (map[string]int64, error) { volumeLimits := map[string]int64{ util.EBSVolumeLimitKey: util.DefaultMaxEBSVolumes, diff --git a/pkg/volume/azure_file/azure_file.go b/pkg/volume/azure_file/azure_file.go index 61953cf3d48..df331ea9f48 100644 --- a/pkg/volume/azure_file/azure_file.go +++ b/pkg/volume/azure_file/azure_file.go @@ -100,6 +100,10 @@ func (plugin *azureFilePlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *azureFilePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *azureFilePlugin) GetAccessModes() []v1.PersistentVolumeAccessMode { return []v1.PersistentVolumeAccessMode{ v1.ReadWriteOnce, diff --git a/pkg/volume/azuredd/azure_dd.go b/pkg/volume/azuredd/azure_dd.go index e839474483c..25dd97af883 100644 --- a/pkg/volume/azuredd/azure_dd.go +++ b/pkg/volume/azuredd/azure_dd.go @@ -134,6 +134,10 @@ func (plugin *azureDataDiskPlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *azureDataDiskPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *azureDataDiskPlugin) GetVolumeLimits() (map[string]int64, error) { volumeLimits := map[string]int64{ util.AzureVolumeLimitKey: defaultAzureVolumeLimit, diff --git a/pkg/volume/cephfs/cephfs.go b/pkg/volume/cephfs/cephfs.go index 2a6e8800514..2fc27d6248b 100644 --- a/pkg/volume/cephfs/cephfs.go +++ b/pkg/volume/cephfs/cephfs.go @@ -85,6 +85,10 @@ func (plugin *cephfsPlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *cephfsPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *cephfsPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode { return []v1.PersistentVolumeAccessMode{ v1.ReadWriteOnce, diff --git a/pkg/volume/cinder/cinder.go b/pkg/volume/cinder/cinder.go index 88f89489aec..ef422e24c5c 100644 --- a/pkg/volume/cinder/cinder.go +++ b/pkg/volume/cinder/cinder.go @@ -123,6 +123,10 @@ func (plugin *cinderPlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *cinderPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + var _ volume.VolumePluginWithAttachLimits = &cinderPlugin{} func (plugin *cinderPlugin) GetVolumeLimits() (map[string]int64, error) { diff --git a/pkg/volume/configmap/configmap.go b/pkg/volume/configmap/configmap.go index e72f5bccb70..8aca9bc2314 100644 --- a/pkg/volume/configmap/configmap.go +++ b/pkg/volume/configmap/configmap.go @@ -90,6 +90,10 @@ func (plugin *configMapPlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *configMapPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *configMapPlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) { return &configMapVolumeMounter{ configMapVolume: &configMapVolume{ diff --git a/pkg/volume/csi/csi_plugin.go b/pkg/volume/csi/csi_plugin.go index f922fec485a..25358644e85 100644 --- a/pkg/volume/csi/csi_plugin.go +++ b/pkg/volume/csi/csi_plugin.go @@ -581,6 +581,10 @@ func (p *csiPlugin) SupportsBulkVolumeVerification() bool { return false } +func (p *csiPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + // volume.AttachableVolumePlugin methods var _ volume.AttachableVolumePlugin = &csiPlugin{} diff --git a/pkg/volume/downwardapi/downwardapi.go b/pkg/volume/downwardapi/downwardapi.go index 08899bfb359..714254c5c79 100644 --- a/pkg/volume/downwardapi/downwardapi.go +++ b/pkg/volume/downwardapi/downwardapi.go @@ -92,6 +92,10 @@ func (plugin *downwardAPIPlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *downwardAPIPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *downwardAPIPlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) { v := &downwardAPIVolume{ volName: spec.Name(), diff --git a/pkg/volume/emptydir/empty_dir.go b/pkg/volume/emptydir/empty_dir.go index 19cd6aea282..6370902d0ea 100644 --- a/pkg/volume/emptydir/empty_dir.go +++ b/pkg/volume/emptydir/empty_dir.go @@ -103,6 +103,10 @@ func (plugin *emptyDirPlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *emptyDirPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *emptyDirPlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) { return plugin.newMounterInternal(spec, pod, plugin.host.GetMounter(plugin.GetPluginName()), &realMountDetector{plugin.host.GetMounter(plugin.GetPluginName())}, opts) } diff --git a/pkg/volume/fc/fc.go b/pkg/volume/fc/fc.go index 3bb73f943a7..8c8920d6dc2 100644 --- a/pkg/volume/fc/fc.go +++ b/pkg/volume/fc/fc.go @@ -99,6 +99,10 @@ func (plugin *fcPlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *fcPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *fcPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode { return []v1.PersistentVolumeAccessMode{ v1.ReadWriteOnce, diff --git a/pkg/volume/flexvolume/plugin.go b/pkg/volume/flexvolume/plugin.go index a13b3af9326..92e5c8d91db 100644 --- a/pkg/volume/flexvolume/plugin.go +++ b/pkg/volume/flexvolume/plugin.go @@ -287,6 +287,10 @@ func (plugin *flexVolumePlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *flexVolumePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + // Returns true iff the given command is known to be unsupported. func (plugin *flexVolumePlugin) isUnsupported(command string) bool { plugin.Lock() diff --git a/pkg/volume/gcepd/gce_pd.go b/pkg/volume/gcepd/gce_pd.go index 302d6be9613..cb33c1e3dd3 100644 --- a/pkg/volume/gcepd/gce_pd.go +++ b/pkg/volume/gcepd/gce_pd.go @@ -111,6 +111,10 @@ func (plugin *gcePersistentDiskPlugin) SupportsBulkVolumeVerification() bool { return true } +func (plugin *gcePersistentDiskPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *gcePersistentDiskPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode { return []v1.PersistentVolumeAccessMode{ v1.ReadWriteOnce, diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go index 5f0e7075eb7..76dafd7c839 100644 --- a/pkg/volume/git_repo/git_repo.go +++ b/pkg/volume/git_repo/git_repo.go @@ -89,6 +89,10 @@ func (plugin *gitRepoPlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *gitRepoPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *gitRepoPlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) { if err := validateVolume(spec.Volume.GitRepo); err != nil { return nil, err diff --git a/pkg/volume/glusterfs/glusterfs.go b/pkg/volume/glusterfs/glusterfs.go index 07bdc926719..10e571a8b5d 100644 --- a/pkg/volume/glusterfs/glusterfs.go +++ b/pkg/volume/glusterfs/glusterfs.go @@ -132,6 +132,10 @@ func (plugin *glusterfsPlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *glusterfsPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *glusterfsPlugin) RequiresFSResize() bool { return false } diff --git a/pkg/volume/hostpath/host_path.go b/pkg/volume/hostpath/host_path.go index 8900023c51f..c6f5b4c779c 100644 --- a/pkg/volume/hostpath/host_path.go +++ b/pkg/volume/hostpath/host_path.go @@ -108,6 +108,10 @@ func (plugin *hostPathPlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *hostPathPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *hostPathPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode { return []v1.PersistentVolumeAccessMode{ v1.ReadWriteOnce, diff --git a/pkg/volume/iscsi/iscsi.go b/pkg/volume/iscsi/iscsi.go index 830bd5f717b..f19f670c2c7 100644 --- a/pkg/volume/iscsi/iscsi.go +++ b/pkg/volume/iscsi/iscsi.go @@ -92,6 +92,10 @@ func (plugin *iscsiPlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *iscsiPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *iscsiPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode { return []v1.PersistentVolumeAccessMode{ v1.ReadWriteOnce, diff --git a/pkg/volume/local/local.go b/pkg/volume/local/local.go index df9b7f560f9..ab2af54c2e4 100644 --- a/pkg/volume/local/local.go +++ b/pkg/volume/local/local.go @@ -96,6 +96,10 @@ func (plugin *localVolumePlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *localVolumePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *localVolumePlugin) GetAccessModes() []v1.PersistentVolumeAccessMode { // The current meaning of AccessMode is how many nodes can attach to it, not how many pods can mount it return []v1.PersistentVolumeAccessMode{ diff --git a/pkg/volume/nfs/nfs.go b/pkg/volume/nfs/nfs.go index 4a557e884bd..f292be4a506 100644 --- a/pkg/volume/nfs/nfs.go +++ b/pkg/volume/nfs/nfs.go @@ -105,6 +105,10 @@ func (plugin *nfsPlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *nfsPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *nfsPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode { return []v1.PersistentVolumeAccessMode{ v1.ReadWriteOnce, diff --git a/pkg/volume/noop_expandable_plugin.go b/pkg/volume/noop_expandable_plugin.go index fac27426301..8e3872e3712 100644 --- a/pkg/volume/noop_expandable_plugin.go +++ b/pkg/volume/noop_expandable_plugin.go @@ -75,3 +75,7 @@ func (n *noopExpandableVolumePluginInstance) SupportsBulkVolumeVerification() bo func (n *noopExpandableVolumePluginInstance) RequiresFSResize() bool { return true } + +func (n *noopExpandableVolumePluginInstance) SupportsSELinuxContextMount(spec *Spec) (bool, error) { + return false, nil +} diff --git a/pkg/volume/plugins.go b/pkg/volume/plugins.go index 5fd44568a01..23afc41539b 100644 --- a/pkg/volume/plugins.go +++ b/pkg/volume/plugins.go @@ -187,6 +187,10 @@ type VolumePlugin interface { // of enabling bulk polling of all nodes. This can speed up verification of // attached volumes by quite a bit, but underlying pluging must support it. SupportsBulkVolumeVerification() bool + + // SupportsSELinuxContextMount returns true if volume plugins supports + // mount -o context=XYZ for a given volume. + SupportsSELinuxContextMount(spec *Spec) (bool, error) } // PersistentVolumePlugin is an extended interface of VolumePlugin and is used diff --git a/pkg/volume/plugins_test.go b/pkg/volume/plugins_test.go index 510f204ca1b..dabb421a344 100644 --- a/pkg/volume/plugins_test.go +++ b/pkg/volume/plugins_test.go @@ -87,6 +87,10 @@ func (plugin *testPlugins) SupportsBulkVolumeVerification() bool { return false } +func (plugin *testPlugins) SupportsSELinuxContextMount(spec *Spec) (bool, error) { + return false, nil +} + func (plugin *testPlugins) NewMounter(spec *Spec, podRef *v1.Pod, opts VolumeOptions) (Mounter, error) { return nil, nil } diff --git a/pkg/volume/portworx/portworx.go b/pkg/volume/portworx/portworx.go index b5429b9de61..417929b780d 100644 --- a/pkg/volume/portworx/portworx.go +++ b/pkg/volume/portworx/portworx.go @@ -230,6 +230,10 @@ func (plugin *portworxVolumePlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *portworxVolumePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func getVolumeSource( spec *volume.Spec) (*v1.PortworxVolumeSource, bool, error) { if spec.Volume != nil && spec.Volume.PortworxVolume != nil { diff --git a/pkg/volume/projected/projected.go b/pkg/volume/projected/projected.go index e30cb802243..ecbe408098e 100644 --- a/pkg/volume/projected/projected.go +++ b/pkg/volume/projected/projected.go @@ -105,6 +105,10 @@ func (plugin *projectedPlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *projectedPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *projectedPlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) { return &projectedVolumeMounter{ projectedVolume: &projectedVolume{ diff --git a/pkg/volume/rbd/rbd.go b/pkg/volume/rbd/rbd.go index 85f949a5b55..adb4e61376c 100644 --- a/pkg/volume/rbd/rbd.go +++ b/pkg/volume/rbd/rbd.go @@ -125,6 +125,10 @@ func (plugin *rbdPlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *rbdPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *rbdPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode { return []v1.PersistentVolumeAccessMode{ v1.ReadWriteOnce, diff --git a/pkg/volume/secret/secret.go b/pkg/volume/secret/secret.go index 0899f512667..a8a2d633b5c 100644 --- a/pkg/volume/secret/secret.go +++ b/pkg/volume/secret/secret.go @@ -93,6 +93,10 @@ func (plugin *secretPlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *secretPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *secretPlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) { return &secretVolumeMounter{ secretVolume: &secretVolume{ diff --git a/pkg/volume/testing/testing.go b/pkg/volume/testing/testing.go index a747d755725..65949ad148e 100644 --- a/pkg/volume/testing/testing.go +++ b/pkg/volume/testing/testing.go @@ -284,6 +284,10 @@ func (plugin *FakeVolumePlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *FakeVolumePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *FakeVolumePlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) { plugin.Lock() defer plugin.Unlock() @@ -545,6 +549,10 @@ func (f *FakeBasicVolumePlugin) SupportsBulkVolumeVerification() bool { return f.Plugin.SupportsBulkVolumeVerification() } +func (f *FakeBasicVolumePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return f.Plugin.SupportsSELinuxContextMount(spec) +} + func (f *FakeBasicVolumePlugin) SupportsMountOption() bool { return f.Plugin.SupportsMountOption() } @@ -626,6 +634,10 @@ func (plugin *FakeFileVolumePlugin) SupportsBulkVolumeVerification() bool { return false } +func (plugin *FakeFileVolumePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *FakeFileVolumePlugin) NewMounter(spec *volume.Spec, podRef *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) { return nil, nil } diff --git a/pkg/volume/vsphere_volume/vsphere_volume.go b/pkg/volume/vsphere_volume/vsphere_volume.go index 904f3688669..15072690373 100644 --- a/pkg/volume/vsphere_volume/vsphere_volume.go +++ b/pkg/volume/vsphere_volume/vsphere_volume.go @@ -104,6 +104,10 @@ func (plugin *vsphereVolumePlugin) SupportsBulkVolumeVerification() bool { return true } +func (plugin *vsphereVolumePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) { + return false, nil +} + func (plugin *vsphereVolumePlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, _ volume.VolumeOptions) (volume.Mounter, error) { return plugin.newMounterInternal(spec, pod.UID, &VsphereDiskUtil{}, plugin.host.GetMounter(plugin.GetPluginName())) }