github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Move SELinux warning metric to be counted once per pod

Browse Source 
volume_manager_selinux_volume_context_mismatch_warnings_total should be
counted only once per volume + pod. The previous location is evaluated
periodically, so bump the metric only when a new pod is added to volume.
This commit is contained in:
Jan Safranek
2023-10-12 14:00:00 +02:00
parent 8453eb0c24
commit 2f5903b4cf
1 changed files with 15 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
pkg/kubelet/volumemanager/cache/desired_state_of_world.go vendored
View File

@@ -306,7 +306,7 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
}
klog.V(4).InfoS("expected volume SELinux label context", "volume", volumeSpec.Name(), "label", seLinuxFileLabel)
if vol, volumeExists := dsw.volumesToMount[volumeName]; !volumeExists {
if _, volumeExists := dsw.volumesToMount[volumeName]; !volumeExists {
var sizeLimit *resource.Quantity
if volumeSpec.Volume != nil {
if util.IsLocalEphemeralVolume(*volumeSpec.Volume) {
@@ -350,12 +350,21 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
}
}
dsw.volumesToMount[volumeName] = vmt
} else {
// volume exists
}
oldPodMount, ok := dsw.volumesToMount[volumeName].podsToMount[podName]
mountRequestTime := time.Now()
if ok && !volumePlugin.RequiresRemount(volumeSpec) {
mountRequestTime = oldPodMount.mountRequestTime
}
if !ok {
// The volume exists, but not with this pod.
// It will be added below as podToMount, now just report SELinux metric.
if pluginSupportsSELinuxContextMount {
if seLinuxFileLabel != vol.originalSELinuxLabel {
// TODO: update the error message after tests, e.g. add at least the conflicting pod names.
fullErr := fmt.Errorf("conflicting SELinux labels of volume %s: %q and %q", volumeSpec.Name(), vol.originalSELinuxLabel, seLinuxFileLabel)
existingVolume := dsw.volumesToMount[volumeName]
if seLinuxFileLabel != existingVolume.originalSELinuxLabel {
fullErr := fmt.Errorf("conflicting SELinux labels of volume %s: %q and %q", volumeSpec.Name(), existingVolume.originalSELinuxLabel, seLinuxFileLabel)
supported := util.VolumeSupportsSELinuxMount(volumeSpec)
err := handleSELinuxMetricError(
fullErr,
@@ -369,12 +378,6 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
}
}
oldPodMount, ok := dsw.volumesToMount[volumeName].podsToMount[podName]
mountRequestTime := time.Now()
if ok && !volumePlugin.RequiresRemount(volumeSpec) {
mountRequestTime = oldPodMount.mountRequestTime
}
// Create new podToMount object. If it already exists, it is refreshed with
// updated values (this is required for volumes that require remounting on
// pod update, like Downward API volumes).