From 525b8e5cd6d410034058397b282386f21cbc2f20 Mon Sep 17 00:00:00 2001 From: Jan Safranek Date: Fri, 11 Feb 2022 10:45:29 +0100 Subject: [PATCH] Rename SupportsSELinux to SELinuxRelabel The field in fact says that the container runtime should relabel a volume when running a container with it, it does not say that the volume supports SELinux. For example, NFS can support SELinux, but we don't want NFS volumes relabeled, because they can be shared among several Pods. --- pkg/kubelet/kubelet_pods.go | 2 +- pkg/volume/awsebs/aws_ebs.go | 6 +++--- pkg/volume/azure_file/azure_file.go | 6 +++--- pkg/volume/azuredd/azure_mounter.go | 6 +++--- pkg/volume/cephfs/cephfs.go | 6 +++--- pkg/volume/cinder/cinder.go | 6 +++--- pkg/volume/configmap/configmap.go | 6 +++--- pkg/volume/csi/csi_mounter.go | 6 +++--- pkg/volume/downwardapi/downwardapi.go | 6 +++--- pkg/volume/emptydir/empty_dir.go | 6 +++--- pkg/volume/fc/fc.go | 6 +++--- pkg/volume/flexvolume/mounter-defaults.go | 6 +++--- pkg/volume/flocker/flocker.go | 6 +++--- pkg/volume/gcepd/gce_pd.go | 6 +++--- pkg/volume/git_repo/git_repo.go | 6 +++--- pkg/volume/glusterfs/glusterfs.go | 6 +++--- pkg/volume/hostpath/host_path.go | 6 +++--- pkg/volume/iscsi/iscsi.go | 6 +++--- pkg/volume/local/local.go | 6 +++--- pkg/volume/nfs/nfs.go | 9 +++++---- pkg/volume/portworx/portworx.go | 9 +++++---- pkg/volume/projected/projected.go | 6 +++--- pkg/volume/quobyte/quobyte.go | 6 +++--- pkg/volume/rbd/rbd.go | 19 +++++++++---------- pkg/volume/secret/secret.go | 6 +++--- pkg/volume/storageos/storageos.go | 6 +++--- pkg/volume/testing/testing.go | 6 +++--- pkg/volume/volume.go | 6 +++--- pkg/volume/vsphere_volume/vsphere_volume.go | 4 ++-- 29 files changed, 94 insertions(+), 93 deletions(-) diff --git a/pkg/kubelet/kubelet_pods.go b/pkg/kubelet/kubelet_pods.go index 93f722589e3..2808ad02b2c 100644 --- a/pkg/kubelet/kubelet_pods.go +++ b/pkg/kubelet/kubelet_pods.go @@ -175,7 +175,7 @@ func makeMounts(pod *v1.Pod, podDir string, container *v1.Container, hostName, h // If the volume supports SELinux and it has not been // relabeled already and it is not a read-only volume, // relabel it and mark it as labeled - if vol.Mounter.GetAttributes().Managed && vol.Mounter.GetAttributes().SupportsSELinux && !vol.SELinuxLabeled { + if vol.Mounter.GetAttributes().Managed && vol.Mounter.GetAttributes().SELinuxRelabel && !vol.SELinuxLabeled { vol.SELinuxLabeled = true relabelVolume = true } diff --git a/pkg/volume/awsebs/aws_ebs.go b/pkg/volume/awsebs/aws_ebs.go index 5d5745e3883..b349c8651d5 100644 --- a/pkg/volume/awsebs/aws_ebs.go +++ b/pkg/volume/awsebs/aws_ebs.go @@ -350,9 +350,9 @@ var _ volume.Mounter = &awsElasticBlockStoreMounter{} func (b *awsElasticBlockStoreMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: b.readOnly, - Managed: !b.readOnly, - SupportsSELinux: true, + ReadOnly: b.readOnly, + Managed: !b.readOnly, + SELinuxRelabel: true, } } diff --git a/pkg/volume/azure_file/azure_file.go b/pkg/volume/azure_file/azure_file.go index bcf4e273f2c..a3dc6b6b7de 100644 --- a/pkg/volume/azure_file/azure_file.go +++ b/pkg/volume/azure_file/azure_file.go @@ -239,9 +239,9 @@ var _ volume.Mounter = &azureFileMounter{} func (b *azureFileMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: b.readOnly, - Managed: !b.readOnly, - SupportsSELinux: false, + ReadOnly: b.readOnly, + Managed: !b.readOnly, + SELinuxRelabel: false, } } diff --git a/pkg/volume/azuredd/azure_mounter.go b/pkg/volume/azuredd/azure_mounter.go index 647533510ff..8dbdf480228 100644 --- a/pkg/volume/azuredd/azure_mounter.go +++ b/pkg/volume/azuredd/azure_mounter.go @@ -56,9 +56,9 @@ func (m *azureDiskMounter) GetAttributes() volume.Attributes { readOnly = *volumeSource.ReadOnly } return volume.Attributes{ - ReadOnly: readOnly, - Managed: !readOnly, - SupportsSELinux: true, + ReadOnly: readOnly, + Managed: !readOnly, + SELinuxRelabel: true, } } diff --git a/pkg/volume/cephfs/cephfs.go b/pkg/volume/cephfs/cephfs.go index 9e997e35f55..9f866219f23 100644 --- a/pkg/volume/cephfs/cephfs.go +++ b/pkg/volume/cephfs/cephfs.go @@ -206,9 +206,9 @@ var _ volume.Mounter = &cephfsMounter{} func (cephfsVolume *cephfsMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: cephfsVolume.readonly, - Managed: false, - SupportsSELinux: false, + ReadOnly: cephfsVolume.readonly, + Managed: false, + SELinuxRelabel: false, } } diff --git a/pkg/volume/cinder/cinder.go b/pkg/volume/cinder/cinder.go index f917d2bc9d9..92bb9096b8b 100644 --- a/pkg/volume/cinder/cinder.go +++ b/pkg/volume/cinder/cinder.go @@ -371,9 +371,9 @@ type cinderVolume struct { func (b *cinderVolumeMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: b.readOnly, - Managed: !b.readOnly, - SupportsSELinux: true, + ReadOnly: b.readOnly, + Managed: !b.readOnly, + SELinuxRelabel: true, } } diff --git a/pkg/volume/configmap/configmap.go b/pkg/volume/configmap/configmap.go index 607587938f1..da719796fa1 100644 --- a/pkg/volume/configmap/configmap.go +++ b/pkg/volume/configmap/configmap.go @@ -157,9 +157,9 @@ var _ volume.Mounter = &configMapVolumeMounter{} func (sv *configMapVolume) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: true, - Managed: true, - SupportsSELinux: true, + ReadOnly: true, + Managed: true, + SELinuxRelabel: true, } } diff --git a/pkg/volume/csi/csi_mounter.go b/pkg/volume/csi/csi_mounter.go index 95eb198b148..10e823e6913 100644 --- a/pkg/volume/csi/csi_mounter.go +++ b/pkg/volume/csi/csi_mounter.go @@ -352,9 +352,9 @@ func (c *csiMountMgr) podServiceAccountTokenAttrs() (map[string]string, error) { func (c *csiMountMgr) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: c.readOnly, - Managed: !c.readOnly, - SupportsSELinux: c.supportsSELinux, + ReadOnly: c.readOnly, + Managed: !c.readOnly, + SELinuxRelabel: c.supportsSELinux, } } diff --git a/pkg/volume/downwardapi/downwardapi.go b/pkg/volume/downwardapi/downwardapi.go index 9e3dedba472..310dd223043 100644 --- a/pkg/volume/downwardapi/downwardapi.go +++ b/pkg/volume/downwardapi/downwardapi.go @@ -153,9 +153,9 @@ var _ volume.Mounter = &downwardAPIVolumeMounter{} // downward API volumes are always ReadOnlyManaged func (d *downwardAPIVolume) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: true, - Managed: true, - SupportsSELinux: true, + ReadOnly: true, + Managed: true, + SELinuxRelabel: true, } } diff --git a/pkg/volume/emptydir/empty_dir.go b/pkg/volume/emptydir/empty_dir.go index b8f6bbcbabd..ab897162e6a 100644 --- a/pkg/volume/emptydir/empty_dir.go +++ b/pkg/volume/emptydir/empty_dir.go @@ -219,9 +219,9 @@ type emptyDir struct { func (ed *emptyDir) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: false, - Managed: true, - SupportsSELinux: true, + ReadOnly: false, + Managed: true, + SELinuxRelabel: true, } } diff --git a/pkg/volume/fc/fc.go b/pkg/volume/fc/fc.go index 6cdfa925329..b16470d7f5f 100644 --- a/pkg/volume/fc/fc.go +++ b/pkg/volume/fc/fc.go @@ -364,9 +364,9 @@ var _ volume.Mounter = &fcDiskMounter{} func (b *fcDiskMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: b.readOnly, - Managed: !b.readOnly, - SupportsSELinux: true, + ReadOnly: b.readOnly, + Managed: !b.readOnly, + SELinuxRelabel: true, } } diff --git a/pkg/volume/flexvolume/mounter-defaults.go b/pkg/volume/flexvolume/mounter-defaults.go index a1c89ab1911..c5d99aba64a 100644 --- a/pkg/volume/flexvolume/mounter-defaults.go +++ b/pkg/volume/flexvolume/mounter-defaults.go @@ -45,9 +45,9 @@ func (f *mounterDefaults) SetUpAt(dir string, mounterArgs volume.MounterArgs) er func (f *mounterDefaults) GetAttributes() volume.Attributes { klog.V(5).Info(logPrefix(f.plugin), "using default GetAttributes") return volume.Attributes{ - ReadOnly: f.readOnly, - Managed: !f.readOnly, - SupportsSELinux: f.flexVolume.plugin.capabilities.SELinuxRelabel, + ReadOnly: f.readOnly, + Managed: !f.readOnly, + SELinuxRelabel: f.flexVolume.plugin.capabilities.SELinuxRelabel, } } diff --git a/pkg/volume/flocker/flocker.go b/pkg/volume/flocker/flocker.go index 74eedc7220e..d39a7ce9d98 100644 --- a/pkg/volume/flocker/flocker.go +++ b/pkg/volume/flocker/flocker.go @@ -214,9 +214,9 @@ type flockerVolumeMounter struct { func (b *flockerVolumeMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: b.readOnly, - Managed: false, - SupportsSELinux: false, + ReadOnly: b.readOnly, + Managed: false, + SELinuxRelabel: false, } } diff --git a/pkg/volume/gcepd/gce_pd.go b/pkg/volume/gcepd/gce_pd.go index dfc7a30f560..2c048671f67 100644 --- a/pkg/volume/gcepd/gce_pd.go +++ b/pkg/volume/gcepd/gce_pd.go @@ -354,9 +354,9 @@ var _ volume.Mounter = &gcePersistentDiskMounter{} func (b *gcePersistentDiskMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: b.readOnly, - Managed: !b.readOnly, - SupportsSELinux: true, + ReadOnly: b.readOnly, + Managed: !b.readOnly, + SELinuxRelabel: true, } } diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go index ba23ceaf0b7..048faced98e 100644 --- a/pkg/volume/git_repo/git_repo.go +++ b/pkg/volume/git_repo/git_repo.go @@ -161,9 +161,9 @@ var _ volume.Mounter = &gitRepoVolumeMounter{} func (b *gitRepoVolumeMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: false, - Managed: true, - SupportsSELinux: true, // xattr change should be okay, TODO: double check + ReadOnly: false, + Managed: true, + SELinuxRelabel: true, // xattr change should be okay, TODO: double check } } diff --git a/pkg/volume/glusterfs/glusterfs.go b/pkg/volume/glusterfs/glusterfs.go index 2a91164836d..62aaf4fde24 100644 --- a/pkg/volume/glusterfs/glusterfs.go +++ b/pkg/volume/glusterfs/glusterfs.go @@ -251,9 +251,9 @@ var _ volume.Mounter = &glusterfsMounter{} func (b *glusterfsMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: b.readOnly, - Managed: false, - SupportsSELinux: false, + ReadOnly: b.readOnly, + Managed: false, + SELinuxRelabel: false, } } diff --git a/pkg/volume/hostpath/host_path.go b/pkg/volume/hostpath/host_path.go index ece27cf21e3..78bf040841d 100644 --- a/pkg/volume/hostpath/host_path.go +++ b/pkg/volume/hostpath/host_path.go @@ -212,9 +212,9 @@ var _ volume.Mounter = &hostPathMounter{} func (b *hostPathMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: b.readOnly, - Managed: false, - SupportsSELinux: false, + ReadOnly: b.readOnly, + Managed: false, + SELinuxRelabel: false, } } diff --git a/pkg/volume/iscsi/iscsi.go b/pkg/volume/iscsi/iscsi.go index 2e4c8873af5..9bbb404f883 100644 --- a/pkg/volume/iscsi/iscsi.go +++ b/pkg/volume/iscsi/iscsi.go @@ -346,9 +346,9 @@ var _ volume.Mounter = &iscsiDiskMounter{} func (b *iscsiDiskMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: b.readOnly, - Managed: !b.readOnly, - SupportsSELinux: true, + ReadOnly: b.readOnly, + Managed: !b.readOnly, + SELinuxRelabel: true, } } diff --git a/pkg/volume/local/local.go b/pkg/volume/local/local.go index 6f1387db4b8..0343112a2a1 100644 --- a/pkg/volume/local/local.go +++ b/pkg/volume/local/local.go @@ -504,9 +504,9 @@ var _ volume.Mounter = &localVolumeMounter{} func (m *localVolumeMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: m.readOnly, - Managed: !m.readOnly, - SupportsSELinux: true, + ReadOnly: m.readOnly, + Managed: !m.readOnly, + SELinuxRelabel: true, } } diff --git a/pkg/volume/nfs/nfs.go b/pkg/volume/nfs/nfs.go index 5ad1d9c7372..b945d62ca41 100644 --- a/pkg/volume/nfs/nfs.go +++ b/pkg/volume/nfs/nfs.go @@ -18,11 +18,12 @@ package nfs import ( "fmt" - netutil "k8s.io/utils/net" "os" "runtime" "time" + netutil "k8s.io/utils/net" + "k8s.io/klog/v2" "k8s.io/mount-utils" utilstrings "k8s.io/utils/strings" @@ -232,9 +233,9 @@ var _ volume.Mounter = &nfsMounter{} func (nfsMounter *nfsMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: nfsMounter.readOnly, - Managed: false, - SupportsSELinux: false, + ReadOnly: nfsMounter.readOnly, + Managed: false, + SELinuxRelabel: false, } } diff --git a/pkg/volume/portworx/portworx.go b/pkg/volume/portworx/portworx.go index 103e244e1fd..9b1397c2cea 100644 --- a/pkg/volume/portworx/portworx.go +++ b/pkg/volume/portworx/portworx.go @@ -18,10 +18,11 @@ package portworx import ( "fmt" + "os" + "k8s.io/klog/v2" "k8s.io/mount-utils" utilstrings "k8s.io/utils/strings" - "os" volumeclient "github.com/libopenstorage/openstorage/api/client/volume" v1 "k8s.io/api/core/v1" @@ -287,9 +288,9 @@ var _ volume.Mounter = &portworxVolumeMounter{} func (b *portworxVolumeMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: b.readOnly, - Managed: !b.readOnly, - SupportsSELinux: false, + ReadOnly: b.readOnly, + Managed: !b.readOnly, + SELinuxRelabel: false, } } diff --git a/pkg/volume/projected/projected.go b/pkg/volume/projected/projected.go index f6fca6d5790..915c11291cc 100644 --- a/pkg/volume/projected/projected.go +++ b/pkg/volume/projected/projected.go @@ -168,9 +168,9 @@ var _ volume.Mounter = &projectedVolumeMounter{} func (sv *projectedVolume) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: true, - Managed: true, - SupportsSELinux: true, + ReadOnly: true, + Managed: true, + SELinuxRelabel: true, } } diff --git a/pkg/volume/quobyte/quobyte.go b/pkg/volume/quobyte/quobyte.go index bb71e22e79c..f7ceb8a834f 100644 --- a/pkg/volume/quobyte/quobyte.go +++ b/pkg/volume/quobyte/quobyte.go @@ -225,9 +225,9 @@ var _ volume.Mounter = &quobyteMounter{} func (mounter *quobyteMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: mounter.readOnly, - Managed: false, - SupportsSELinux: false, + ReadOnly: mounter.readOnly, + Managed: false, + SELinuxRelabel: false, } } diff --git a/pkg/volume/rbd/rbd.go b/pkg/volume/rbd/rbd.go index 25fc78561d3..9655539159d 100644 --- a/pkg/volume/rbd/rbd.go +++ b/pkg/volume/rbd/rbd.go @@ -19,28 +19,27 @@ package rbd import ( "context" "fmt" - utilfeature "k8s.io/apiserver/pkg/util/feature" - "k8s.io/kubernetes/pkg/features" "os" "path/filepath" "regexp" dstrings "strings" - "k8s.io/klog/v2" - "k8s.io/mount-utils" - utilexec "k8s.io/utils/exec" - utilstrings "k8s.io/utils/strings" - v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/uuid" + utilfeature "k8s.io/apiserver/pkg/util/feature" clientset "k8s.io/client-go/kubernetes" + "k8s.io/klog/v2" + "k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/volume" volutil "k8s.io/kubernetes/pkg/volume/util" "k8s.io/kubernetes/pkg/volume/util/volumepathhandler" + "k8s.io/mount-utils" + utilexec "k8s.io/utils/exec" + utilstrings "k8s.io/utils/strings" ) var ( @@ -832,9 +831,9 @@ var _ volume.Mounter = &rbdMounter{} func (rbd *rbd) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: rbd.ReadOnly, - Managed: !rbd.ReadOnly, - SupportsSELinux: true, + ReadOnly: rbd.ReadOnly, + Managed: !rbd.ReadOnly, + SELinuxRelabel: true, } } diff --git a/pkg/volume/secret/secret.go b/pkg/volume/secret/secret.go index 8226b2209ee..d154dde4c60 100644 --- a/pkg/volume/secret/secret.go +++ b/pkg/volume/secret/secret.go @@ -162,9 +162,9 @@ var _ volume.Mounter = &secretVolumeMounter{} func (sv *secretVolume) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: true, - Managed: true, - SupportsSELinux: true, + ReadOnly: true, + Managed: true, + SELinuxRelabel: true, } } diff --git a/pkg/volume/storageos/storageos.go b/pkg/volume/storageos/storageos.go index 591b7e45592..79b471e2a54 100644 --- a/pkg/volume/storageos/storageos.go +++ b/pkg/volume/storageos/storageos.go @@ -328,9 +328,9 @@ var _ volume.Mounter = &storageosMounter{} func (b *storageosMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - ReadOnly: b.readOnly, - Managed: !b.readOnly, - SupportsSELinux: true, + ReadOnly: b.readOnly, + Managed: !b.readOnly, + SELinuxRelabel: true, } } diff --git a/pkg/volume/testing/testing.go b/pkg/volume/testing/testing.go index d58f6dd16db..9b3bde13aa6 100644 --- a/pkg/volume/testing/testing.go +++ b/pkg/volume/testing/testing.go @@ -686,9 +686,9 @@ func getUniqueVolumeName(spec *Spec) (string, error) { func (_ *FakeVolume) GetAttributes() Attributes { return Attributes{ - ReadOnly: false, - Managed: true, - SupportsSELinux: true, + ReadOnly: false, + Managed: true, + SELinuxRelabel: true, } } diff --git a/pkg/volume/volume.go b/pkg/volume/volume.go index 13d75a63381..742d98671e0 100644 --- a/pkg/volume/volume.go +++ b/pkg/volume/volume.go @@ -115,9 +115,9 @@ type Metrics struct { // Attributes represents the attributes of this mounter. type Attributes struct { - ReadOnly bool - Managed bool - SupportsSELinux bool + ReadOnly bool + Managed bool + SELinuxRelabel bool } // MounterArgs provides more easily extensible arguments to Mounter diff --git a/pkg/volume/vsphere_volume/vsphere_volume.go b/pkg/volume/vsphere_volume/vsphere_volume.go index a8b644a727c..1e7a76c8367 100644 --- a/pkg/volume/vsphere_volume/vsphere_volume.go +++ b/pkg/volume/vsphere_volume/vsphere_volume.go @@ -208,8 +208,8 @@ type vsphereVolumeMounter struct { func (b *vsphereVolumeMounter) GetAttributes() volume.Attributes { return volume.Attributes{ - SupportsSELinux: true, - Managed: true, + SELinuxRelabel: true, + Managed: true, } }