Skip to content

Commit 1ca8b14

Browse files
saschagrunertsaschagrunert
committed
Add proposal how to handle SELinux
Signed-off-by: Sascha Grunert <[email protected]>
1 parent 0291e04 commit 1ca8b14

File tree

1 file changed

+24
-0
lines changed
  • keps/sig-node/4639-oci-volume-source

1 file changed

+24
-0
lines changed

keps/sig-node/4639-oci-volume-source/README.md

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,7 @@ tags, and then generate with `hack/update-toc.sh`.
9696
- [kubelet](#kubelet)
9797
- [CRI](#cri)
9898
- [Container Runtimes](#container-runtimes)
99+
- [SELinux](#selinux)
99100
- [Test Plan](#test-plan)
100101
- [Prerequisite testing updates](#prerequisite-testing-updates)
101102
- [Unit tests](#unit-tests)
@@ -360,13 +361,19 @@ message ImageSpec {
360361
361362
// Absolute local path where the image/artifacts should be mounted to.
362363
string mountpoint = 20;
364+
365+
// List of additional mount options (`mount -o`).
366+
repeated string mount_options = 21;
363367
}
364368
```
365369

366370
This allows to re-use the existing kubelet logic for managing the OCI objects,
367371
with the caveat that the new `VolumeSource` won't be isolated in a dedicated
368372
plugin as part of the existing [volume manager](https://github.com/kubernetes/kubernetes/tree/6d0aab2/pkg/kubelet/volumemanager).
369373

374+
The added `mount_options` allow the kubelet to handle features like SELinux
375+
relabelling by passing additional mount arguments.
376+
370377
#### Container Runtimes
371378

372379
Container runtimes need to support the new `mountpoint` field, otherwise the
@@ -379,6 +386,23 @@ to run on the node.
379386
For security reasons, volume mounts should set the [`noexec`] and `ro`
380387
(read-only) options by default.
381388

389+
##### SELinux
390+
391+
Traditionally, the container runtime is responsible of applying SELinux labels
392+
to volume mounts, which are inherited from the `securityContext` of the pod or
393+
container. Relabeling volume mounts can be time-consuming, especially when there
394+
are many files on the volume.
395+
396+
If the following criteria are met, then the kubelet will use the `mount_options`
397+
field in the CRI to pass `context=<SELinux label>` (`mount -o`) to the container
398+
runtime.
399+
400+
- The operating system must support SELinux
401+
- The Pod must have at least `seLinuxOptions.level` assigned in the
402+
`PodSecurityContext` or all volume using containers must have it set in their
403+
`SecurityContexts`. Kubernetes will read the default user, role and type from
404+
the operating system defaults (typically `system_u`, `system_r` and `container_t`).
405+
382406
### Test Plan
383407

384408
<!--

0 commit comments

Comments
 (0)