Add security context support in dockershim

pkg/securitycontext/provider.go

@@ -91,13 +91,20 @@ func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container
 	}
 
 	if effectiveSC.SELinuxOptions != nil {
-		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelUser, effectiveSC.SELinuxOptions.User)
-		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelRole, effectiveSC.SELinuxOptions.Role)
-		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelType, effectiveSC.SELinuxOptions.Type)
-		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelLevel, effectiveSC.SELinuxOptions.Level)
+		hostConfig.SecurityOpt = ModifySecurityOptions(hostConfig.SecurityOpt, effectiveSC.SELinuxOptions)
 	}
 }
 
+// ModifySecurityOptions adds SELinux options to config.
+func ModifySecurityOptions(config []string, selinuxOpts *api.SELinuxOptions) []string {
+	config = modifySecurityOption(config, DockerLabelUser, selinuxOpts.User)
+	config = modifySecurityOption(config, DockerLabelRole, selinuxOpts.Role)
+	config = modifySecurityOption(config, DockerLabelType, selinuxOpts.Type)
+	config = modifySecurityOption(config, DockerLabelLevel, selinuxOpts.Level)
+
+	return config
+}
+
 // modifySecurityOption adds the security option of name to the config array with value in the form
 // of name:value
 func modifySecurityOption(config []string, name, value string) []string {

pkg/securitycontext/provider_test.go

@@ -104,10 +104,10 @@ func TestModifyHostConfig(t *testing.T) {
 
 	setSELinuxHC := &dockercontainer.HostConfig{}
 	setSELinuxHC.SecurityOpt = []string{
-		fmt.Sprintf("%s:%s", dockerLabelUser, "user"),
-		fmt.Sprintf("%s:%s", dockerLabelRole, "role"),
-		fmt.Sprintf("%s:%s", dockerLabelType, "type"),
-		fmt.Sprintf("%s:%s", dockerLabelLevel, "level"),
+		fmt.Sprintf("%s:%s", DockerLabelUser, "user"),
+		fmt.Sprintf("%s:%s", DockerLabelRole, "role"),
+		fmt.Sprintf("%s:%s", DockerLabelType, "type"),
+		fmt.Sprintf("%s:%s", DockerLabelLevel, "level"),
 	}
 
 	// seLinuxLabelsSC := fullValidSecurityContext()
@@ -325,10 +325,10 @@ func fullValidHostConfig() *dockercontainer.HostConfig {
 		CapAdd:     []string{"addCapA", "addCapB"},
 		CapDrop:    []string{"dropCapA", "dropCapB"},
 		SecurityOpt: []string{
-			fmt.Sprintf("%s:%s", dockerLabelUser, "user"),
-			fmt.Sprintf("%s:%s", dockerLabelRole, "role"),
-			fmt.Sprintf("%s:%s", dockerLabelType, "type"),
-			fmt.Sprintf("%s:%s", dockerLabelLevel, "level"),
+			fmt.Sprintf("%s:%s", DockerLabelUser, "user"),
+			fmt.Sprintf("%s:%s", DockerLabelRole, "role"),
+			fmt.Sprintf("%s:%s", DockerLabelType, "type"),
+			fmt.Sprintf("%s:%s", DockerLabelLevel, "level"),
 		},
 	}
 }

pkg/securitycontext/types.go

@@ -41,9 +41,9 @@ type SecurityContextProvider interface {
 }
 
 const (
-	dockerLabelUser    string = "label:user"
-	dockerLabelRole    string = "label:role"
-	dockerLabelType    string = "label:type"
-	dockerLabelLevel   string = "label:level"
-	dockerLabelDisable string = "label:disable"
+	DockerLabelUser    string = "label:user"
+	DockerLabelRole    string = "label:role"
+	DockerLabelType    string = "label:type"
+	DockerLabelLevel   string = "label:level"
+	DockerLabelDisable string = "label:disable"
 )