You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: keps/sig-storage/1710-selinux-relabeling/README.md
+4-1Lines changed: 4 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -321,6 +321,9 @@ Apart from the obvious API change and behavior described above, kubelet + volume
321
321
* Kubelet's VolumeManager needs to track which SELinux label should get a volume in global mount (to call `MountDevice()` with the right mount options).
322
322
* It must call `UnmountDevice()` even when another pod wants to re-use a mounted volume, but it has a different SELinux context.
323
323
* While tracking SELinux labels of volumes, it can emit metrics suggested below.
324
+
* After kubelet restart, kubelet must reconstruct the original SELinux label it used to SetUp (MountDevice) each volume.
325
+
* Volume reconstruction must be updated to get the SELinux label from mount (in-tree volume plugins) or stored json file (CSI).
326
+
This label must be updated in VolumeManager's ActualStateOfWorld after reconstruction.
324
327
* Volume plugins will get SELinux context as a new parameter of `MountDevice` and `SetUp`/`SetupAt` calls (resp. as a new field in `DeviceMounterArgs` / `MounterArgs`).
325
328
* Each volume plugin can choose to use the mount option `-o context=` (e.g. when `CSIDriver.SELinuxRelabelPolicy` is `true`) or ignore it (e.g. in-tree volume plugins for shared filesystems or when `CSIDriver.SELinuxRelabelPolicy` is `false` or `nil`).
326
329
* Each volume plugin then returns `SupportsSELinux` from `GetAttributes()` call, depending on if it wants the container runtime to relabel the volume (`true`) or not (`false`; the volume was already mounted with the right label or it does not support SELinux at all).
@@ -412,7 +415,7 @@ _This section must be completed when targeting alpha to a release._
412
415
Describe the consequences on existing workloads (e.g. if this is runtime
413
416
feature, can it break the existing applications?).
414
417
415
-
Yes, it can be disabled / rolled back.
418
+
Yes, it can be disabled / rolled back.
416
419
Corresponding API fields get cleared and Kubernetes uses previous SELinux label handling.
417
420
If the feature gate is enabled/disabled in kubelet without draining the node, volumes mounted by the previous kubelet are still mounted with the same mount option and thus may / may not have `-o context=` mount option.
418
421
I.e. the disabled / enabled feature affects only newly started Pods.
0 commit comments