mirror of
https://github.com/rancher/rke.git
synced 2025-09-17 07:30:01 +00:00
Do not rewrite SELinux labels on volume mounts
This commit is contained in:
Sebastiaan van Steenis
@@ -264,10 +264,10 @@ func (c *Cluster) BuildKubeAPIProcess(host *hosts.Host, serviceOptions v3.Kubern
|
||||
services.SidekickContainerName,
|
||||
}
|
||||
Binds := []string{
|
||||
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||
}
|
||||
if c.Services.KubeAPI.AuditLog != nil && c.Services.KubeAPI.AuditLog.Enabled {
|
||||
Binds = append(Binds, fmt.Sprintf("%s:/var/log/kube-audit:z", path.Join(host.PrefixPath, "/var/log/kube-audit")))
|
||||
Binds = append(Binds, fmt.Sprintf("%s:/var/log/kube-audit", path.Join(host.PrefixPath, "/var/log/kube-audit")))
|
||||
bytes, err := yaml.Marshal(c.Services.KubeAPI.AuditLog.Configuration.Policy)
|
||||
if err != nil {
|
||||
logrus.Warnf("Error while marshalling auditlog policy: %v", err)
|
||||
@@ -356,7 +356,7 @@ func (c *Cluster) BuildKubeControllerProcess(host *hosts.Host, serviceOptions v3
|
||||
services.SidekickContainerName,
|
||||
}
|
||||
Binds := []string{
|
||||
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||
}
|
||||
|
||||
for arg, value := range c.Services.KubeController.ExtraArgs {
|
||||
@@ -479,29 +479,29 @@ func (c *Cluster) BuildKubeletProcess(host *hosts.Host, serviceOptions v3.Kubern
|
||||
}
|
||||
} else {
|
||||
Binds = []string{
|
||||
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||
"/etc/cni:/etc/cni:rw,z",
|
||||
"/opt/cni:/opt/cni:rw,z",
|
||||
fmt.Sprintf("%s:/var/lib/cni:z", path.Join(host.PrefixPath, "/var/lib/cni")),
|
||||
"/var/lib/calico:/var/lib/calico:z",
|
||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||
"/etc/cni:/etc/cni:rw",
|
||||
"/opt/cni:/opt/cni:rw",
|
||||
fmt.Sprintf("%s:/var/lib/cni", path.Join(host.PrefixPath, "/var/lib/cni")),
|
||||
"/var/lib/calico:/var/lib/calico",
|
||||
"/etc/resolv.conf:/etc/resolv.conf",
|
||||
"/sys:/sys:rprivate",
|
||||
host.DockerInfo.DockerRootDir + ":" + host.DockerInfo.DockerRootDir + ":rw,rslave,z",
|
||||
fmt.Sprintf("%s:%s:shared,z", path.Join(host.PrefixPath, "/var/lib/kubelet"), path.Join(host.PrefixPath, "/var/lib/kubelet")),
|
||||
"/var/lib/rancher:/var/lib/rancher:shared,z",
|
||||
host.DockerInfo.DockerRootDir + ":" + host.DockerInfo.DockerRootDir + ":rw,rslave",
|
||||
fmt.Sprintf("%s:%s:shared", path.Join(host.PrefixPath, "/var/lib/kubelet"), path.Join(host.PrefixPath, "/var/lib/kubelet")),
|
||||
"/var/lib/rancher:/var/lib/rancher:shared",
|
||||
"/var/run:/var/run:rw,rprivate",
|
||||
"/run:/run:rprivate",
|
||||
fmt.Sprintf("%s:/etc/ceph", path.Join(host.PrefixPath, "/etc/ceph")),
|
||||
"/dev:/host/dev:rprivate",
|
||||
"/var/log/containers:/var/log/containers:z",
|
||||
"/var/log/pods:/var/log/pods:z",
|
||||
"/var/log/containers:/var/log/containers",
|
||||
"/var/log/pods:/var/log/pods",
|
||||
"/usr:/host/usr:ro",
|
||||
"/etc:/host/etc:ro",
|
||||
}
|
||||
|
||||
// Special case to simplify using flex volumes
|
||||
if path.Join(host.PrefixPath, "/var/lib/kubelet") != "/var/lib/kubelet" {
|
||||
Binds = append(Binds, "/var/lib/kubelet/volumeplugins:/var/lib/kubelet/volumeplugins:shared,z")
|
||||
Binds = append(Binds, "/var/lib/kubelet/volumeplugins:/var/lib/kubelet/volumeplugins:shared")
|
||||
}
|
||||
}
|
||||
Binds = append(Binds, host.GetExtraBinds(kubelet.BaseService)...)
|
||||
@@ -610,7 +610,7 @@ func (c *Cluster) BuildKubeProxyProcess(host *hosts.Host, serviceOptions v3.Kube
|
||||
}
|
||||
} else {
|
||||
Binds = []string{
|
||||
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||
"/run:/run",
|
||||
}
|
||||
|
||||
@@ -728,7 +728,7 @@ func (c *Cluster) BuildSchedulerProcess(host *hosts.Host, serviceOptions v3.Kube
|
||||
services.SidekickContainerName,
|
||||
}
|
||||
Binds := []string{
|
||||
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||
}
|
||||
|
||||
for arg, value := range c.Services.Scheduler.ExtraArgs {
|
||||
@@ -902,8 +902,8 @@ func (c *Cluster) BuildEtcdProcess(host *hosts.Host, etcdHosts []*hosts.Host, se
|
||||
}
|
||||
|
||||
Binds := []string{
|
||||
fmt.Sprintf("%s:%s:z", path.Join(host.PrefixPath, "/var/lib/etcd"), services.EtcdDataDir),
|
||||
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||
fmt.Sprintf("%s:%s", path.Join(host.PrefixPath, "/var/lib/etcd"), services.EtcdDataDir),
|
||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||
}
|
||||
|
||||
if serviceOptions.Etcd != nil {
|
||||
|
||||
Reference in New Issue
Block a user