Merge pull request #116424 from jsafrane/add-selinux-metric-test
Add e2e tests for SELinux metrics
This commit is contained in:
Kubernetes Prow Robot
@@ -207,12 +207,23 @@ type volumeToMount struct {
|
||||
// Usually this value reflects size recorded in pv.Spec.Capacity
|
||||
persistentVolumeSize *resource.Quantity
|
||||
|
||||
// seLinuxFileLabel is desired SELinux label on files on the volume. If empty, then
|
||||
// effectiveSELinuxMountFileLabel is the SELinux label that will be applied to the volume using mount options.
|
||||
// If empty, then:
|
||||
// - either the context+label is unknown (assigned randomly by the container runtime)
|
||||
// - or the volume plugin responsible for this volume does not support mounting with -o context
|
||||
// - or the volume is not ReadWriteOncePod
|
||||
// - or the OS does not support SELinux
|
||||
// In all cases, the SELinux context does not matter when mounting the volume.
|
||||
effectiveSELinuxMountFileLabel string
|
||||
|
||||
// originalSELinuxLabel is the SELinux label that would be used if SELinux mount was supported for all access modes.
|
||||
// For RWOP volumes it's the same as effectiveSELinuxMountFileLabel.
|
||||
// It is used only to report potential SELinux mismatch metrics.
|
||||
// If empty, then:
|
||||
// - either the context+label is unknown (assigned randomly by the container runtime)
|
||||
// - or the volume plugin responsible for this volume does not support mounting with -o context
|
||||
// - or the OS does not support SELinux
|
||||
// In all cases, the SELinux context does not matter when mounting the volume.
|
||||
seLinuxFileLabel string
|
||||
originalSELinuxLabel string
|
||||
}
|
||||
|
||||
// The pod object represents a pod that references the underlying volume and
|
||||
@@ -308,23 +319,25 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
|
||||
}
|
||||
}
|
||||
}
|
||||
effectiveSELinuxMountLabel := seLinuxFileLabel
|
||||
if !util.VolumeSupportsSELinuxMount(volumeSpec) {
|
||||
// Clear SELinux label for the volume with unsupported access modes.
|
||||
klog.V(4).InfoS("volume does not support SELinux context mount, clearing the expected label", "volume", volumeSpec.Name())
|
||||
seLinuxFileLabel = ""
|
||||
effectiveSELinuxMountLabel = ""
|
||||
}
|
||||
if seLinuxFileLabel != "" {
|
||||
seLinuxVolumesAdmitted.Add(1.0)
|
||||
}
|
||||
vmt := volumeToMount{
|
||||
volumeName: volumeName,
|
||||
podsToMount: make(map[types.UniquePodName]podToMount),
|
||||
pluginIsAttachable: attachable,
|
||||
pluginIsDeviceMountable: deviceMountable,
|
||||
volumeGidValue: volumeGidValue,
|
||||
reportedInUse: false,
|
||||
desiredSizeLimit: sizeLimit,
|
||||
seLinuxFileLabel: seLinuxFileLabel,
|
||||
volumeName: volumeName,
|
||||
podsToMount: make(map[types.UniquePodName]podToMount),
|
||||
pluginIsAttachable: attachable,
|
||||
pluginIsDeviceMountable: deviceMountable,
|
||||
volumeGidValue: volumeGidValue,
|
||||
reportedInUse: false,
|
||||
desiredSizeLimit: sizeLimit,
|
||||
effectiveSELinuxMountFileLabel: effectiveSELinuxMountLabel,
|
||||
originalSELinuxLabel: seLinuxFileLabel,
|
||||
}
|
||||
// record desired size of the volume
|
||||
if volumeSpec.PersistentVolume != nil {
|
||||
@@ -338,17 +351,13 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
|
||||
} else {
|
||||
// volume exists
|
||||
if pluginSupportsSELinuxContextMount {
|
||||
if seLinuxFileLabel != vol.seLinuxFileLabel {
|
||||
if seLinuxFileLabel != vol.originalSELinuxLabel {
|
||||
// TODO: update the error message after tests, e.g. add at least the conflicting pod names.
|
||||
fullErr := fmt.Errorf("conflicting SELinux labels of volume %s: %q and %q", volumeSpec.Name(), vol.seLinuxFileLabel, seLinuxFileLabel)
|
||||
fullErr := fmt.Errorf("conflicting SELinux labels of volume %s: %q and %q", volumeSpec.Name(), vol.originalSELinuxLabel, seLinuxFileLabel)
|
||||
supported := util.VolumeSupportsSELinuxMount(volumeSpec)
|
||||
if err := handleSELinuxMetricError(fullErr, supported, seLinuxVolumeContextMismatchWarnings, seLinuxVolumeContextMismatchErrors); err != nil {
|
||||
return "", err
|
||||
}
|
||||
} else {
|
||||
if seLinuxFileLabel != "" {
|
||||
seLinuxVolumesAdmitted.Add(1.0)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -500,7 +509,7 @@ func (dsw *desiredStateOfWorld) VolumeExists(
|
||||
// and mounted with new SELinux mount options for pod B.
|
||||
// Without SELinux, kubelet can (and often does) reuse device mounted
|
||||
// for A.
|
||||
return vol.seLinuxFileLabel == seLinuxMountContext
|
||||
return vol.effectiveSELinuxMountFileLabel == seLinuxMountContext
|
||||
}
|
||||
return true
|
||||
}
|
||||
@@ -516,7 +525,7 @@ func (dsw *desiredStateOfWorld) PodExistsInVolume(
|
||||
}
|
||||
|
||||
if feature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
|
||||
if volumeObj.seLinuxFileLabel != seLinuxMountOption {
|
||||
if volumeObj.effectiveSELinuxMountFileLabel != seLinuxMountOption {
|
||||
// The volume is in DSW, but with a different SELinux mount option.
|
||||
// Report it as unused, so the volume is unmounted and mounted back
|
||||
// with the right SELinux option.
|
||||
@@ -574,7 +583,7 @@ func (dsw *desiredStateOfWorld) GetVolumesToMount() []VolumeToMount {
|
||||
ReportedInUse: volumeObj.reportedInUse,
|
||||
MountRequestTime: podObj.mountRequestTime,
|
||||
DesiredSizeLimit: volumeObj.desiredSizeLimit,
|
||||
SELinuxLabel: volumeObj.seLinuxFileLabel,
|
||||
SELinuxLabel: volumeObj.effectiveSELinuxMountFileLabel,
|
||||
},
|
||||
}
|
||||
if volumeObj.persistentVolumeSize != nil {
|
||||
|
||||
Reference in New Issue
Block a user