github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 09:22:44 +00:00
Code Issues Projects Releases Wiki Activity

Refactor getSELinuxLabel

Browse Source 
Return early and reduce indentation
This commit is contained in:
Jan Safranek 2024-10-09 11:21:11 +02:00
parent 8a400124f9
commit e4eedfe105
1 changed files with 56 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
pkg/kubelet/volumemanager/cache/desired_state_of_world.go vendored
View File

@ -393,75 +393,65 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
} }
func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinuxContainerContexts []*v1.SELinuxOptions, podSecurityContext *v1.PodSecurityContext) (string, bool, error) { func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinuxContainerContexts []*v1.SELinuxOptions, podSecurityContext *v1.PodSecurityContext) (string, bool, error) {
if !feature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
return "", false, nil
}
if !dsw.seLinuxTranslator.SELinuxEnabled() {
return "", false, nil
}
pluginSupportsSELinuxContextMount, err := dsw.getSELinuxMountSupport(volumeSpec)
if err != nil {
return "", false, err
}
if feature.DefaultFeatureGate.Enabled(features.SELinuxChangePolicy) &&
podSecurityContext != nil &&
podSecurityContext.SELinuxChangePolicy != nil &&
*podSecurityContext.SELinuxChangePolicy == v1.SELinuxChangePolicyRecursive {
// The pod has opted into recursive SELinux label changes. Do not mount with -o context.
return "", pluginSupportsSELinuxContextMount, nil
}
if !pluginSupportsSELinuxContextMount {
return "", pluginSupportsSELinuxContextMount, nil
}
seLinuxSupported := util.VolumeSupportsSELinuxMount(volumeSpec)
var seLinuxFileLabel string var seLinuxFileLabel string
var pluginSupportsSELinuxContextMount bool // Ensure that a volume that can be mounted with "-o context=XYZ" is
// used only by containers with the same SELinux contexts.
if feature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) { for _, containerContext := range seLinuxContainerContexts {
var err error newLabel, err := dsw.seLinuxTranslator.SELinuxOptionsToFileLabel(containerContext)
if !dsw.seLinuxTranslator.SELinuxEnabled() {
return "", false, nil
}
pluginSupportsSELinuxContextMount, err = dsw.getSELinuxMountSupport(volumeSpec)
if err != nil { if err != nil {
return "", false, err fullErr := fmt.Errorf("failed to construct SELinux label from context %q: %w", containerContext, err)
} accessMode := getVolumeAccessMode(volumeSpec)
err := handleSELinuxMetricError(
if feature.DefaultFeatureGate.Enabled(features.SELinuxChangePolicy) && fullErr,
podSecurityContext != nil && seLinuxSupported,
podSecurityContext.SELinuxChangePolicy != nil && seLinuxContainerContextWarnings.WithLabelValues(accessMode),
*podSecurityContext.SELinuxChangePolicy == v1.SELinuxChangePolicyRecursive { seLinuxContainerContextErrors.WithLabelValues(accessMode))
// The pod has opted into recursive SELinux label changes. Do not mount with -o context. if err != nil {
return "", pluginSupportsSELinuxContextMount, nil return "", false, err
} }
}
// Ignoring SELinuxMount feature gate: if seLinuxFileLabel == "" {
// It allows value "SELinuxChangePolicy: MountOption" in the API server to be set. seLinuxFileLabel = newLabel
// If the feature gate + field value is set in the API server, but the feature gate is disabled here in kubelet, continue
// kubelet would default to "", which means "MountOption" anyway. }
if seLinuxFileLabel != newLabel {
seLinuxSupported := util.VolumeSupportsSELinuxMount(volumeSpec) accessMode := getVolumeAccessMode(volumeSpec)
if pluginSupportsSELinuxContextMount {
// Ensure that a volume that can be mounted with "-o context=XYZ" is fullErr := fmt.Errorf("volume %s is used with two different SELinux contexts in the same pod: %q, %q", volumeSpec.Name(), seLinuxFileLabel, newLabel)
// used only by containers with the same SELinux contexts. err := handleSELinuxMetricError(
for _, containerContext := range seLinuxContainerContexts { fullErr,
newLabel, err := dsw.seLinuxTranslator.SELinuxOptionsToFileLabel(containerContext) seLinuxSupported,
if err != nil { seLinuxPodContextMismatchWarnings.WithLabelValues(accessMode),
fullErr := fmt.Errorf("failed to construct SELinux label from context %q: %w", containerContext, err) seLinuxPodContextMismatchErrors.WithLabelValues(accessMode))
accessMode := getVolumeAccessMode(volumeSpec) if err != nil {
err := handleSELinuxMetricError( return "", false, err
fullErr,
seLinuxSupported,
seLinuxContainerContextWarnings.WithLabelValues(accessMode),
seLinuxContainerContextErrors.WithLabelValues(accessMode))
if err != nil {
return "", false, err
}
}
if seLinuxFileLabel == "" {
seLinuxFileLabel = newLabel
continue
}
if seLinuxFileLabel != newLabel {
accessMode := getVolumeAccessMode(volumeSpec)
fullErr := fmt.Errorf("volume %s is used with two different SELinux contexts in the same pod: %q, %q", volumeSpec.Name(), seLinuxFileLabel, newLabel)
err := handleSELinuxMetricError(
fullErr,
seLinuxSupported,
seLinuxPodContextMismatchWarnings.WithLabelValues(accessMode),
seLinuxPodContextMismatchErrors.WithLabelValues(accessMode))
if err != nil {
return "", false, err
}
}
} }
} else {
// Volume plugin does not support SELinux context mount.
// DSW will track this volume with SELinux label "", i.e. no mount with
// -o context.
seLinuxFileLabel = ""
} }
} }
return seLinuxFileLabel, pluginSupportsSELinuxContextMount, nil return seLinuxFileLabel, pluginSupportsSELinuxContextMount, nil