The field in fact says that the container runtime should relabel a volume
when running a container with it, it does not say that the volume supports
SELinux. For example, NFS can support SELinux, but we don't want NFS
volumes relabeled, because they can be shared among several Pods.
When GetSELinuxSupport() fails, don't assume a mounted filesystem does not
support SELinux at all. Try again instead in the next SetUp retry.
This may hurt performance a bit, since kubelet will call NodePublishVolume
again, but it's better than providing wrong information to the container
runtime that will then skip relabeling of the volume.
Errors from staticcheck:
pkg/volume/azure_dd/azure_common.go:68:2: var winDiskNumFormat is unused (U1000)
pkg/volume/csi/csi_block.go:97:2: field volumeInfo is unused (U1000)
pkg/volume/csi/csi_block_test.go:56:6: func prepareBlockUnmapperTest is unused (U1000)
pkg/volume/csi/csi_client.go:108:2: const initialDuration is unused (U1000)
pkg/volume/csi/csi_client.go:109:2: const factor is unused (U1000)
pkg/volume/csi/csi_client.go:110:2: const steps is unused (U1000)
pkg/volume/csi/csi_client_test.go:83:8: this value of err is never used (SA4006)
pkg/volume/csi/csi_mounter.go:76:2: field options is unused (U1000)
pkg/volume/csi/csi_mounter_test.go:454:13: this value of err is never used (SA4006)
pkg/volume/csi/csi_plugin_test.go:766:16: this value of err is never used (SA4006)
pkg/volume/csi/csi_plugin_test.go:861:13: this value of err is never used (SA4006)
pkg/volume/csi/csi_plugin_test.go:1186:13: this value of err is never used (SA4006)
pkg/volume/csi/csi_plugin_test.go:1249:13: this value of err is never used (SA4006)
pkg/volume/csi/csi_test.go:305:5: the goroutine calls T.Fatalf, which must be called in the same goroutine as the test (SA2002)
pkg/volume/flexvolume/probe_test.go:67:10: this value of err is never used (SA4006)
pkg/volume/iscsi/iscsi_test.go:95:2: field attachCalled is unused (U1000)
pkg/volume/iscsi/iscsi_test.go:96:2: field detachCalled is unused (U1000)
pkg/volume/iscsi/iscsi_test.go:501:24: this value of err is never used (SA4006)
pkg/volume/iscsi/iscsi_util_test.go:159:2: this value of exist is never used (SA4006)
pkg/volume/local/local.go:351:57: argument devicePath is overwritten before first use (SA4009)
pkg/volume/plugins_test.go:119:2: this value of plug is never used (SA4006)
pkg/volume/plugins_test.go:125:2: this value of plug is never used (SA4006)
pkg/volume/quobyte/quobyte.go:474:23: this result of append is never used, except maybe in other appends (SA4010)
pkg/volume/quobyte/quobyte.go:477:23: this result of append is never used, except maybe in other appends (SA4010)
pkg/volume/quobyte/quobyte.go:480:23: this result of append is never used, except maybe in other appends (SA4010)
pkg/volume/rbd/rbd.go:886:2: field adminSecret is unused (U1000)
pkg/volume/rbd/rbd.go:887:2: field adminID is unused (U1000)
pkg/volume/rbd/rbd.go:888:2: field imageFormat is unused (U1000)
pkg/volume/rbd/rbd.go:889:2: field imageFeatures is unused (U1000)
pkg/volume/storageos/storageos.go:302:2: field secretName is unused (U1000)
pkg/volume/storageos/storageos_util_test.go:43:2: field apiAddr is unused (U1000)
pkg/volume/storageos/storageos_util_test.go:44:2: field apiUser is unused (U1000)
pkg/volume/storageos/storageos_util_test.go:45:2: field apiPass is unused (U1000)
pkg/volume/storageos/storageos_util_test.go:46:2: field apiVersion is unused (U1000)
pkg/volume/util/atomic_writer_test.go:756:49: argument err is overwritten before first use (SA4009)
pkg/volume/util/fsquota/common/quota_linux_common.go:37:2: const acct is unused (U1000)
pkg/volume/util/fsquota/common/quota_linux_common.go:38:2: const enforcing is unused (U1000)
pkg/volume/util/fsquota/project.go:168:31: identical expressions on the left and right side of the '==' operator (SA4000)
pkg/volume/util/fsquota/quota_linux.go:306:50: argument poduid is overwritten before first use (SA4009)
pkg/volume/util/fsquota/quota_linux_test.go:558:16: this value of err is never used (SA4006)
pkg/volume/util/subpath/subpath_linux.go:232:81: argument err is overwritten before first use (SA4009)
pkg/volume/util/subpath/subpath_linux_test.go:579:73: argument err is overwritten before first use (SA4009)
In case of windows, the path package functions such as 'Dir' returns faulty directory path.
For eg: 'path.Dir' on 'c:\var\lib\kubelet\pods' returns '.', where as the result should
have been 'c:\var\lib\kubelet'. The filepath package returns the right values.
GetAttributes is called repeatedly while setting the fsGroup of a
volume. Previously, it recalculated whether SELinux was supported during
each call. This resulted in volume.SetVolumeOwnership taking a long
time, delaying pod startup for high file count volumes.
This change checks the SELinux status once, right after node publish,
allowing GetAttributes to simply build and return a struct.
Signed-off-by: John Strunk <jstrunk@redhat.com>
Using a "normal" CSI driver for an inline ephemeral volume may have
unexpected and potentially harmful effects when the driver gets a
NodePublishVolume call that it isn't expecting. To prevent that mistake,
driver deployments for a driver that supports such volumes must:
- deploy a CSIDriver object for the driver
- set CSIDriver.Spec.VolumeLifecycleModes such that it contains "ephemeral"
The default for that field is "persistent", so existing deployments
continue to work and are automatically protected against incorrect
usage.
For the E2E tests we need a way to specify the driver mode. The
existing cluster-driver-registrar doesn't support that and also was
deprecated, so we stop using it altogether and instead deploy and
patch a CSIDriver object.
The conceptual change is that the mode in which a volume gets handled
is derived from it's spec, not from the ability of the driver. In
practice, that is already how the code worked because it didn't
actually look at CSIDriver.Spec.Mode at all.
Therefore the code change itself is mostly just renaming "driver mode"
to "volume mode". In some places (CanDeviceMount, CanAttach) the
feature check that was used elsewhere seemed to be missing. Now their
code path for ephemeral volumes are also only entered if that feature
is enabled.
The sanity check whether a CSI driver is being used correctly still
needs to be implemented.
Related-to: https://github.com/kubernetes/kubernetes/issues/79624
This patch refactors pkg/util/mount to be more usable outside of
Kubernetes. This is done by refactoring mount.Interface to only contain
methods that are not K8s specific. Methods that are not relevant to
basic mount activities but still have OS-specific implementations are
now found in a mount.HostUtils interface.
