github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-04 01:40:07 +00:00
Code Issues Projects Releases Wiki Activity

Refactor getSELinuxLabel

Browse Source 
Return early and reduce indentation
This commit is contained in:
Jan Safranek 2024-10-09 11:21:11 +02:00
parent 8a400124f9
commit e4eedfe105
1 changed files with 56 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
pkg/kubelet/volumemanager/cache/desired_state_of_world.go vendored
View File

@ -393,17 +393,15 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
} }
func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinuxContainerContexts []*v1.SELinuxOptions, podSecurityContext *v1.PodSecurityContext) (string, bool, error) { func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinuxContainerContexts []*v1.SELinuxOptions, podSecurityContext *v1.PodSecurityContext) (string, bool, error) {
var seLinuxFileLabel string if !feature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
var pluginSupportsSELinuxContextMount bool return "", false, nil
}
if feature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
var err error
if !dsw.seLinuxTranslator.SELinuxEnabled() { if !dsw.seLinuxTranslator.SELinuxEnabled() {
return "", false, nil return "", false, nil
} }
pluginSupportsSELinuxContextMount, err = dsw.getSELinuxMountSupport(volumeSpec) pluginSupportsSELinuxContextMount, err := dsw.getSELinuxMountSupport(volumeSpec)
if err != nil { if err != nil {
return "", false, err return "", false, err
} }
@ -416,13 +414,12 @@ func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinux
return "", pluginSupportsSELinuxContextMount, nil return "", pluginSupportsSELinuxContextMount, nil
} }
// Ignoring SELinuxMount feature gate: if !pluginSupportsSELinuxContextMount {
// It allows value "SELinuxChangePolicy: MountOption" in the API server to be set. return "", pluginSupportsSELinuxContextMount, nil
// If the feature gate + field value is set in the API server, but the feature gate is disabled here in kubelet, }
// kubelet would default to "", which means "MountOption" anyway.
seLinuxSupported := util.VolumeSupportsSELinuxMount(volumeSpec) seLinuxSupported := util.VolumeSupportsSELinuxMount(volumeSpec)
if pluginSupportsSELinuxContextMount { var seLinuxFileLabel string
// Ensure that a volume that can be mounted with "-o context=XYZ" is // Ensure that a volume that can be mounted with "-o context=XYZ" is
// used only by containers with the same SELinux contexts. // used only by containers with the same SELinux contexts.
for _, containerContext := range seLinuxContainerContexts { for _, containerContext := range seLinuxContainerContexts {
@ -457,13 +454,6 @@ func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinux
} }
} }
} }
} else {
// Volume plugin does not support SELinux context mount.
// DSW will track this volume with SELinux label "", i.e. no mount with
// -o context.
seLinuxFileLabel = ""
}
}
return seLinuxFileLabel, pluginSupportsSELinuxContextMount, nil return seLinuxFileLabel, pluginSupportsSELinuxContextMount, nil
} }