From eeabc3ac6c4e3a4e93c0d872937921005dfbefa4 Mon Sep 17 00:00:00 2001 From: Jan Safranek Date: Tue, 25 Feb 2025 16:32:26 +0100 Subject: [PATCH] selinux: Ignore pods with Recursive policy Pod that explicitly opted into "seLinuxChangePolicy: Recursive" should not report conflicts with another SELinux labels. They will only report a conflict with other Pods using the same volume with "seLinuxChangePolicy: Mount" (or nil). --- .../volume/selinuxwarning/selinux_warning_controller.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/pkg/controller/volume/selinuxwarning/selinux_warning_controller.go b/pkg/controller/volume/selinuxwarning/selinux_warning_controller.go index 2361382cfeb..51b06ffdeeb 100644 --- a/pkg/controller/volume/selinuxwarning/selinux_warning_controller.go +++ b/pkg/controller/volume/selinuxwarning/selinux_warning_controller.go @@ -451,10 +451,9 @@ func (c *Controller) syncPod(ctx context.Context, pod *v1.Pod) error { continue } - // Ignore how the volume is going to be mounted. - // Report any errors when a volume is used by two pods with different SELinux labels regardless of their - // SELinuxChangePolicy - seLinuxLabel := mountInfo.SELinuxProcessLabel + // Use the same label as kubelet will use for mount -o context. + // If the Pod has opted in to Recursive policy, it will be empty string here and no conflicts will be reported for it. + seLinuxLabel := mountInfo.SELinuxMountLabel err = c.syncVolume(logger, pod, spec, seLinuxLabel, mountInfo.PluginSupportsSELinuxContextMount) if err != nil {