rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-09-24 21:07:32 +00:00
Code Issues Releases Wiki Activity

Do not rewrite SELinux labels on volume mounts

Browse Source
This commit is contained in:
Sebastiaan van Steenis
2021-03-16 10:54:01 +01:00
parent 6f1661aaa9
commit 0cea67e9ff
28 changed files with 681 additions and 250 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
services/services.go
View File

@@ -53,16 +53,17 @@ const (
ContainerNameLabel = "io.rancher.rke.container.name"
MCSLabel = "label=level:s0:c1000,c1001"
SELinuxLabel = "label=type:rke_container_t"
)
type RestartFunc func(context.Context, *hosts.Host) error
func runSidekick(ctx context.Context, host *hosts.Host, prsMap map[string]v3.PrivateRegistry, sidecarProcess v3.Process) error {
func runSidekick(ctx context.Context, host *hosts.Host, prsMap map[string]v3.PrivateRegistry, sidecarProcess v3.Process, k8sVersion string) error {
isRunning, err := docker.IsContainerRunning(ctx, host.DClient, host.Address, SidekickContainerName, true)
if err != nil {
return err
}
imageCfg, hostCfg, _ := GetProcessConfig(sidecarProcess, host)
imageCfg, hostCfg, _ := GetProcessConfig(sidecarProcess, host, k8sVersion)
isUpgradable := false
if isRunning {
isUpgradable, err = docker.IsContainerUpgradable(ctx, host.DClient, imageCfg, hostCfg, SidekickContainerName, host.Address, SidekickServiceName)
@@ -102,7 +103,7 @@ func removeSidekick(ctx context.Context, host *hosts.Host) error {
return docker.DoRemoveContainer(ctx, host.DClient, SidekickContainerName, host.Address)
}
func GetProcessConfig(process v3.Process, host *hosts.Host) (*container.Config, *container.HostConfig, string) {
func GetProcessConfig(process v3.Process, host *hosts.Host, k8sVersion string) (*container.Config, *container.HostConfig, string) {
imageCfg := &container.Config{
Entrypoint: process.Command,
Cmd: process.Args,
@@ -143,6 +144,15 @@ func GetProcessConfig(process v3.Process, host *hosts.Host) (*container.Config,
hostCfg.SecurityOpt = []string{MCSLabel}
}
}
// We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)
// Limited to Kubernetes 1.22 and higher
matchedRange, _ := util.SemVerMatchRange(k8sVersion, util.SemVerK8sVersion122OrHigher)
if matchedRange {
logrus.Debugf("Applying security opt label [%s] for etcd container on host [%s]", SELinuxLabel, host.Address)
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
}
}
return imageCfg, hostCfg, process.HealthCheck.URL
}