Add SELinuxMount feature gate

The feature gate enables mounting with -o context=XYZ mount option for all volume types, not only ReadWriteOncePod. All SELinux label tracking & error reporting infrastructure is already in place from SELinuxMountReadWriteOncePod feature gate. This is just a trivial extension to all access modes.
2025-08-06 02:34:03 +00:00 · 2024-02-06 13:35:56 +01:00 · 2024-02-06 13:35:56 +01:00 · d7028a8ed5
commit d7028a8ed5
parent 2016fab308
4 changed files with 47 additions and 2 deletions
--- a/pkg/features/kube_features.go
+++ b/pkg/features/kube_features.go
@ -905,6 +905,13 @@ const (
 	//
 	// Allows namespace indexer for namespace scope resources in apiserver cache to accelerate list operations.
 	StorageNamespaceIndex featuregate.Feature = "StorageNamespaceIndex"
+
+	// owner: @jsafrane
+	// kep: https://kep.k8s.io/1710
+	// alpha: v1.30
+	// Speed up container startup by mounting volumes with the correct SELinux label
+	// instead of changing each file on the volumes recursively.
+	SELinuxMount featuregate.Feature = "SELinuxMount"
 )

 func init() {
@ -1157,6 +1164,8 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS

 	UserNamespacesPodSecurityStandards: {Default: false, PreRelease: featuregate.Alpha},

+	SELinuxMount: {Default: false, PreRelease: featuregate.Alpha},
+
 	// inherited features from generic apiserver, relisted here to get a conflict if it is changed
 	// unintentionally on either side:

--- a/pkg/kubelet/volumemanager/populator/desired_state_of_world_populator_test.go
+++ b/pkg/kubelet/volumemanager/populator/desired_state_of_world_populator_test.go
@ -1212,6 +1212,7 @@ func TestCheckVolumeSELinux(t *testing.T) {
 		accessModes                  []v1.PersistentVolumeAccessMode
 		existingContainerSELinuxOpts *v1.SELinuxOptions
 		newContainerSELinuxOpts      *v1.SELinuxOptions
+		seLinuxMountFeatureEnabled   bool
 		pluginSupportsSELinux        bool
 		expectError                  bool
 		expectedContext              string
@ -1231,14 +1232,22 @@ func TestCheckVolumeSELinux(t *testing.T) {
 			expectedContext:         "system_u:object_r:container_file_t:s0:c3,c4",
 		},
 		{
-			name:                    "RWX with plugin with SELinux with fill context in pod",
+			name:                    "RWX with plugin with SELinux with full context in pod and SELinuxMount feature disabled",
 			accessModes:             []v1.PersistentVolumeAccessMode{v1.ReadWriteMany},
 			newContainerSELinuxOpts: fullOpts,
 			pluginSupportsSELinux:   true,
 			expectedContext:         "", // RWX volumes don't support SELinux
 		},
 		{
-			name:                    "RWOP with plugin with no SELinux with fill context in pod",
+			name:                       "RWX with plugin with SELinux with full context in pod and SELinuxMount feature enabled",
+			accessModes:                []v1.PersistentVolumeAccessMode{v1.ReadWriteMany},
+			newContainerSELinuxOpts:    fullOpts,
+			pluginSupportsSELinux:      true,
+			seLinuxMountFeatureEnabled: true,
+			expectedContext:            "system_u:object_r:container_file_t:s0:c1,c2",
+		},
+		{
+			name:                    "RWOP with plugin with no SELinux with full context in pod",
 			accessModes:             []v1.PersistentVolumeAccessMode{v1.ReadWriteOncePod},
 			newContainerSELinuxOpts: fullOpts,
 			pluginSupportsSELinux:   false,
@ -1267,6 +1276,25 @@ func TestCheckVolumeSELinux(t *testing.T) {
 			pluginSupportsSELinux:        true,
 			expectedContext:              "",
 		},
+		{
+			name:                         "mismatched SELinux with RWX and SELinuxMount feature disabled",
+			accessModes:                  []v1.PersistentVolumeAccessMode{v1.ReadWriteMany},
+			existingContainerSELinuxOpts: fullOpts,
+			newContainerSELinuxOpts:      differentFullOpts,
+			pluginSupportsSELinux:        true,
+			expectedContext:              "",
+		},
+		{
+			name:                         "mismatched SELinux with RWX and SELinuxMount feature enabled",
+			accessModes:                  []v1.PersistentVolumeAccessMode{v1.ReadWriteMany},
+			existingContainerSELinuxOpts: fullOpts,
+			newContainerSELinuxOpts:      differentFullOpts,
+			pluginSupportsSELinux:        true,
+			seLinuxMountFeatureEnabled:   true,
+			expectError:                  true,
+			// The original seLinuxOpts are kept in DSW
+			expectedContext: "system_u:object_r:container_file_t:s0:c1,c2",
+		},
 		{
 			name:                         "mismatched SELinux with RWOP - failure",
 			accessModes:                  []v1.PersistentVolumeAccessMode{v1.ReadWriteOncePod},
@ -1319,6 +1347,7 @@ func TestCheckVolumeSELinux(t *testing.T) {
 					},
 				},
 			}
+			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMount, tc.seLinuxMountFeatureEnabled)()

 			fakeVolumePluginMgr, plugin := volumetesting.GetTestKubeletVolumePluginMgr(t)
 			plugin.SupportsSELinux = tc.pluginSupportsSELinux
--- a/pkg/volume/util/operationexecutor/operation_executor.go
+++ b/pkg/volume/util/operationexecutor/operation_executor.go
@ -449,6 +449,9 @@ type VolumeToMount struct {
 	DesiredPersistentVolumeSize resource.Quantity

 	// SELinux label that should be used to mount.
+	// The label is set when:
+	// * SELinuxMountReadWriteOncePod feature gate is enabled and the volume is RWOP and kubelet knows the SELinux label.
+	// * Or, SELinuxMount feature gate is enabled and kubelet knows the SELinux label.
 	SELinuxLabel string
 }

--- a/pkg/volume/util/selinux.go
+++ b/pkg/volume/util/selinux.go
@ -177,6 +177,10 @@ func VolumeSupportsSELinuxMount(volumeSpec *volume.Spec) bool {
 	if len(volumeSpec.PersistentVolume.Spec.AccessModes) != 1 {
 		return false
 	}
+	if utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMount) {
+		return true
+	}
+	// Only SELinuxMountReadWriteOncePod feature enabled
 	if !v1helper.ContainsAccessMode(volumeSpec.PersistentVolume.Spec.AccessModes, v1.ReadWriteOncePod) {
 		return false
 	}