Add CSIDriverSpec.SELinuxMount
The new field tells Kubernetes if the CSI driver supports mounting of volumes with -o context=XYZ or not.
This commit is contained in:
Jan Safranek
@@ -390,6 +390,27 @@ type CSIDriverSpec struct {
|
||||
//
|
||||
// +optional
|
||||
RequiresRepublish *bool
|
||||
|
||||
// SELinuxMount specifies if the CSI driver supports "-o context"
|
||||
// mount option.
|
||||
//
|
||||
// When "true", the CSI driver must ensure that all volumes provided by this CSI
|
||||
// driver can be mounted separately with different `-o context` options. This is
|
||||
// typical for storage backends that provide volumes as filesystems on block
|
||||
// devices or as independent shared volumes.
|
||||
// Kubernetes will call NodeStage / NodePublish with "-o context=xyz" mount
|
||||
// option when mounting a ReadWriteOncePod volume used in Pod that has
|
||||
// explicitly set SELinux context. In the future, it may be expanded to other
|
||||
// volume AccessModes. In any case, Kubernetes will ensure that the volume is
|
||||
// mounted only with a single SELinux context.
|
||||
//
|
||||
// When "false", Kubernetes won't pass any special SELinux mount options to the driver.
|
||||
// This is typical for volumes that represent subdirectories of a bigger shared filesystem.
|
||||
//
|
||||
// Default is "false".
|
||||
//
|
||||
// +optional
|
||||
SELinuxMount *bool
|
||||
}
|
||||
|
||||
// FSGroupPolicy specifies if a CSI Driver supports modifying
|
||||
|
||||
@@ -64,4 +64,8 @@ func SetDefaults_CSIDriver(obj *storagev1.CSIDriver) {
|
||||
obj.Spec.RequiresRepublish = new(bool)
|
||||
*(obj.Spec.RequiresRepublish) = false
|
||||
}
|
||||
if obj.Spec.SELinuxMount == nil && utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
|
||||
obj.Spec.SELinuxMount = new(bool)
|
||||
*(obj.Spec.SELinuxMount) = false
|
||||
}
|
||||
}
|
||||
|
||||
@@ -122,3 +122,30 @@ func TestSetDefaultCSIDriver(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestSetDefaultSELinuxMountReadWriteOncePodEnabled(t *testing.T) {
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, true)()
|
||||
driver := &storagev1.CSIDriver{}
|
||||
|
||||
// field should be defaulted
|
||||
defaultSELinuxMount := false
|
||||
output := roundTrip(t, runtime.Object(driver)).(*storagev1.CSIDriver)
|
||||
outSELinuxMount := output.Spec.SELinuxMount
|
||||
if outSELinuxMount == nil {
|
||||
t.Errorf("Expected SELinuxMount to be defaulted to: %+v, got: nil", defaultSELinuxMount)
|
||||
} else if *outSELinuxMount != defaultSELinuxMount {
|
||||
t.Errorf("Expected SELinuxMount to be defaulted to: %+v, got: %+v", defaultSELinuxMount, outSELinuxMount)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSetDefaultSELinuxMountReadWriteOncePodDisabled(t *testing.T) {
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, false)()
|
||||
driver := &storagev1.CSIDriver{}
|
||||
|
||||
// field should not be defaulted
|
||||
output := roundTrip(t, runtime.Object(driver)).(*storagev1.CSIDriver)
|
||||
outSELinuxMount := output.Spec.SELinuxMount
|
||||
if outSELinuxMount != nil {
|
||||
t.Errorf("Expected SELinuxMount to remain nil, got: %+v", outSELinuxMount)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -64,4 +64,8 @@ func SetDefaults_CSIDriver(obj *storagev1beta1.CSIDriver) {
|
||||
obj.Spec.RequiresRepublish = new(bool)
|
||||
*(obj.Spec.RequiresRepublish) = false
|
||||
}
|
||||
if obj.Spec.SELinuxMount == nil && utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
|
||||
obj.Spec.SELinuxMount = new(bool)
|
||||
*(obj.Spec.SELinuxMount) = false
|
||||
}
|
||||
}
|
||||
|
||||
@@ -165,3 +165,30 @@ func TestSetDefaultCSIDriver(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestSetDefaultSELinuxMountReadWriteOncePodEnabled(t *testing.T) {
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, true)()
|
||||
driver := &storagev1beta1.CSIDriver{}
|
||||
|
||||
// field should be defaulted
|
||||
defaultSELinuxMount := false
|
||||
output := roundTrip(t, runtime.Object(driver)).(*storagev1beta1.CSIDriver)
|
||||
outSELinuxMount := output.Spec.SELinuxMount
|
||||
if outSELinuxMount == nil {
|
||||
t.Errorf("Expected SELinuxMount to be defaulted to: %+v, got: nil", defaultSELinuxMount)
|
||||
} else if *outSELinuxMount != defaultSELinuxMount {
|
||||
t.Errorf("Expected SELinuxMount to be defaulted to: %+v, got: %+v", defaultSELinuxMount, outSELinuxMount)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSetDefaultSELinuxMountReadWriteOncePodDisabled(t *testing.T) {
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, false)()
|
||||
driver := &storagev1beta1.CSIDriver{}
|
||||
|
||||
// field should not be defaulted
|
||||
output := roundTrip(t, runtime.Object(driver)).(*storagev1beta1.CSIDriver)
|
||||
outSELinuxMount := output.Spec.SELinuxMount
|
||||
if outSELinuxMount != nil {
|
||||
t.Errorf("Expected SELinuxMount remain nil, got: %+v", outSELinuxMount)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user