Add a coment about handling same volumes with different contexts

2022-07-29 10:48:59 +02:00 · 2022-07-29 10:48:59 +02:00 · 260912490e
commit 260912490e
parent a01e720a1a
1 changed files with 13 additions and 0 deletions
--- a/pkg/kubelet/volumemanager/cache/desired_state_of_world.go
+++ b/pkg/kubelet/volumemanager/cache/desired_state_of_world.go
@ -485,6 +485,19 @@ func (dsw *desiredStateOfWorld) VolumeExists(
 		return false
 	}
 	if feature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
+		// Handling two volumes with the same name and different SELinux context
+		// as two *different* volumes here. Because if a volume is mounted with
+		// an old SELinux context, it must be unmounted first and then mounted again
+		// with the new context.
+		//
+		// This will happen when a pod A with context alpha_t runs and is being
+		// terminated by kubelet and its volumes are being torn down, while a
+		// pod B with context beta_t is already scheduled on the same node,
+		// using the same volumes
+		// The volumes from Pod A must be fully unmounted (incl. UnmountDevice)
+		// and mounted with new SELinux mount options for pod B.
+		// Without SELinux, kubelet can (and often does) reuse device mounted
+		// for A.
 		return vol.seLinuxFileLabel == seLinuxMountContext
 	}
 	return true