Run injector as privileged pod
Privileged pod can write bypass any SELinux checks. NFS, CephFS and Gluster test now work without setting special SELinux boolean for them.
This commit is contained in:
		| @@ -486,6 +486,7 @@ func InjectHtml(client clientset.Interface, config VolumeTestConfig, volume v1.V | |||||||
| 	podClient := client.CoreV1().Pods(config.Namespace) | 	podClient := client.CoreV1().Pods(config.Namespace) | ||||||
| 	podName := fmt.Sprintf("%s-injector-%s", config.Prefix, rand.String(4)) | 	podName := fmt.Sprintf("%s-injector-%s", config.Prefix, rand.String(4)) | ||||||
| 	volMountName := fmt.Sprintf("%s-volume-%s", config.Prefix, rand.String(4)) | 	volMountName := fmt.Sprintf("%s-volume-%s", config.Prefix, rand.String(4)) | ||||||
|  | 	privileged := true | ||||||
|  |  | ||||||
| 	injectPod := &v1.Pod{ | 	injectPod := &v1.Pod{ | ||||||
| 		TypeMeta: metav1.TypeMeta{ | 		TypeMeta: metav1.TypeMeta{ | ||||||
| @@ -511,11 +512,9 @@ func InjectHtml(client clientset.Interface, config VolumeTestConfig, volume v1.V | |||||||
| 							MountPath: "/mnt", | 							MountPath: "/mnt", | ||||||
| 						}, | 						}, | ||||||
| 					}, | 					}, | ||||||
| 				}, | 					SecurityContext: &v1.SecurityContext{ | ||||||
| 			}, | 						Privileged: &privileged, | ||||||
| 			SecurityContext: &v1.PodSecurityContext{ | 					}, | ||||||
| 				SELinuxOptions: &v1.SELinuxOptions{ |  | ||||||
| 					Level: "s0:c0,c1", |  | ||||||
| 				}, | 				}, | ||||||
| 			}, | 			}, | ||||||
| 			RestartPolicy: v1.RestartPolicyNever, | 			RestartPolicy: v1.RestartPolicyNever, | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Jan Safranek
					Jan Safranek