Merge pull request kubernetes#130037 from jsafrane/selinux-controller-translator

selinux: add a new SELinux translator to the controller

Author: k8s-ci-robot

pkg/controller/volume/selinuxwarning/cache/volumecache.go

@@ -23,6 +23,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog/v2"
+	"k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/translator"
 )
 
 const (
@@ -51,17 +52,19 @@ type VolumeCache interface {
 // VolumeCache stores all volumes used by Pods and their properties that the controller needs to track,
 // like SELinux labels and SELinuxChangePolicies.
 type volumeCache struct {
-	mutex sync.RWMutex
+	mutex             sync.RWMutex
+	seLinuxTranslator *translator.ControllerSELinuxTranslator
 	// All volumes of all existing Pods.
 	volumes map[v1.UniqueVolumeName]usedVolume
 }
 
 var _ VolumeCache = &volumeCache{}
 
 // NewVolumeLabelCache creates a new VolumeCache.
-func NewVolumeLabelCache() VolumeCache {
+func NewVolumeLabelCache(seLinuxTranslator *translator.ControllerSELinuxTranslator) VolumeCache {
 	return &volumeCache{
-		volumes: make(map[v1.UniqueVolumeName]usedVolume),
+		seLinuxTranslator: seLinuxTranslator,
+		volumes:           make(map[v1.UniqueVolumeName]usedVolume),
 	}
 }
 
@@ -137,7 +140,7 @@ func (c *volumeCache) AddVolume(logger klog.Logger, volumeName v1.UniqueVolumeNa
 				OtherPropertyValue: string(changePolicy),
 			})
 		}
-		if otherPodInfo.seLinuxLabel != label {
+		if c.seLinuxTranslator.Conflicts(otherPodInfo.seLinuxLabel, label) {
 			// Send conflict to both pods
 			conflicts = append(conflicts, Conflict{
 				PropertyName:       "SELinuxLabel",
@@ -248,7 +251,7 @@ func (c *volumeCache) SendConflicts(logger klog.Logger, ch chan<- Conflict) {
 						OtherPropertyValue: string(otherPodInfo.changePolicy),
 					}
 				}
-				if podInfo.seLinuxLabel != otherPodInfo.seLinuxLabel {
+				if c.seLinuxTranslator.Conflicts(podInfo.seLinuxLabel, otherPodInfo.seLinuxLabel) {
 					ch <- Conflict{
 						PropertyName:       "SELinuxLabel",
 						EventReason:        "SELinuxLabelConflict",

pkg/controller/volume/selinuxwarning/cache/volumecache_test.go

@@ -25,6 +25,7 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog/v2"
 	"k8s.io/klog/v2/ktesting"
+	"k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/translator"
 )
 
 func getTestLoggers(t *testing.T) (klog.Logger, klog.Logger) {
@@ -47,7 +48,8 @@ func sortConflicts(conflicts []Conflict) {
 // Delete all items in a bigger cache and check it's empty
 func TestVolumeCache_DeleteAll(t *testing.T) {
 	var podsToDelete []cache.ObjectName
-	c := NewVolumeLabelCache().(*volumeCache)
+	seLinuxTranslator := &translator.ControllerSELinuxTranslator{}
+	c := NewVolumeLabelCache(seLinuxTranslator).(*volumeCache)
 	logger, dumpLogger := getTestLoggers(t)
 
 	// Arrange: add a lot of volumes to the cache
@@ -110,42 +112,70 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 			podNamespace: "ns1",
 			podName:      "pod1-mountOption",
 			volumeName:   "vol1",
-			label:        "label1",
+			label:        "system_u:system_r:label1",
 			changePolicy: v1.SELinuxChangePolicyMountOption,
 		},
 		{
 			podNamespace: "ns2",
 			podName:      "pod2-recursive",
 			volumeName:   "vol2",
-			label:        "label2",
+			label:        "system_u:system_r:label2",
 			changePolicy: v1.SELinuxChangePolicyRecursive,
 		},
 		{
 			podNamespace: "ns3",
 			podName:      "pod3-1",
 			volumeName:   "vol3", // vol3 is used by 2 pods with the same label + recursive policy
-			label:        "label3",
+			label:        "system_u:system_r:label3",
 			changePolicy: v1.SELinuxChangePolicyRecursive,
 		},
 		{
 			podNamespace: "ns3",
 			podName:      "pod3-2",
 			volumeName:   "vol3", // vol3 is used by 2 pods with the same label + recursive policy
-			label:        "label3",
+			label:        "system_u:system_r:label3",
 			changePolicy: v1.SELinuxChangePolicyRecursive,
 		},
 		{
 			podNamespace: "ns4",
 			podName:      "pod4-1",
 			volumeName:   "vol4", // vol4 is used by 2 pods with the same label + mount policy
-			label:        "label4",
+			label:        "system_u:system_r:label4",
 			changePolicy: v1.SELinuxChangePolicyMountOption,
 		},
 		{
 			podNamespace: "ns4",
 			podName:      "pod4-2",
 			volumeName:   "vol4", // vol4 is used by 2 pods with the same label + mount policy
-			label:        "label4",
+			label:        "system_u:system_r:label4",
+			changePolicy: v1.SELinuxChangePolicyMountOption,
+		},
+		{
+			podNamespace: "ns5",
+			podName:      "pod5",
+			volumeName:   "vol5", // vol5 has no user and role
+			label:        "::label5",
+			changePolicy: v1.SELinuxChangePolicyMountOption,
+		},
+		{
+			podNamespace: "ns6",
+			podName:      "pod6",
+			volumeName:   "vol6", // vol6 has no user
+			label:        ":system_r:label6",
+			changePolicy: v1.SELinuxChangePolicyMountOption,
+		},
+		{
+			podNamespace: "ns7",
+			podName:      "pod7",
+			volumeName:   "vol7", // vol7 has no user and role, but has categories
+			label:        "::label7:c0,c1",
+			changePolicy: v1.SELinuxChangePolicyMountOption,
+		},
+		{
+			podNamespace: "ns8",
+			podName:      "pod8",
+			volumeName:   "vol8", // vol has no label
+			label:        "",
 			changePolicy: v1.SELinuxChangePolicyMountOption,
 		},
 	}
@@ -163,7 +193,7 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 				podNamespace: "testns",
 				podName:      "testpod",
 				volumeName:   "vol-new",
-				label:        "label-new",
+				label:        "system_u:system_r:label-new",
 				changePolicy: v1.SELinuxChangePolicyMountOption,
 			},
 			expectedConflicts: nil,
@@ -175,7 +205,7 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 				podNamespace: "testns",
 				podName:      "testpod",
 				volumeName:   "vol-new",
-				label:        "label-new",
+				label:        "system_u:system_r:label-new",
 				changePolicy: v1.SELinuxChangePolicyMountOption,
 			},
 			expectedConflicts: nil,
@@ -187,7 +217,7 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 				podNamespace: "testns",
 				podName:      "testpod",
 				volumeName:   "vol1",
-				label:        "label1",
+				label:        "system_u:system_r:label1",
 				changePolicy: v1.SELinuxChangePolicyMountOption,
 			},
 			expectedConflicts: nil,
@@ -199,17 +229,17 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 				podNamespace: "testns",
 				podName:      "testpod",
 				volumeName:   "vol1",
-				label:        "label-new",
+				label:        "system_u:system_r:label-new",
 				changePolicy: v1.SELinuxChangePolicyMountOption,
 			},
 			expectedConflicts: []Conflict{
 				{
 					PropertyName:       "SELinuxLabel",
 					EventReason:        "SELinuxLabelConflict",
 					Pod:                cache.ObjectName{Namespace: "testns", Name: "testpod"},
-					PropertyValue:      "label-new",
+					PropertyValue:      "system_u:system_r:label-new",
 					OtherPod:           cache.ObjectName{Namespace: "ns1", Name: "pod1-mountOption"},
-					OtherPropertyValue: "label1",
+					OtherPropertyValue: "system_u:system_r:label1",
 				},
 			},
 		},
@@ -220,7 +250,7 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 				podNamespace: "testns",
 				podName:      "testpod",
 				volumeName:   "vol1",
-				label:        "label1",
+				label:        "system_u:system_r:label1",
 				changePolicy: v1.SELinuxChangePolicyRecursive,
 			},
 			expectedConflicts: []Conflict{
@@ -241,7 +271,7 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 				podNamespace: "testns",
 				podName:      "testpod",
 				volumeName:   "vol1",
-				label:        "label-new",
+				label:        "system_u:system_r:label-new",
 				changePolicy: v1.SELinuxChangePolicyRecursive,
 			},
 			expectedConflicts: []Conflict{
@@ -257,9 +287,9 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 					PropertyName:       "SELinuxLabel",
 					EventReason:        "SELinuxLabelConflict",
 					Pod:                cache.ObjectName{Namespace: "testns", Name: "testpod"},
-					PropertyValue:      "label-new",
+					PropertyValue:      "system_u:system_r:label-new",
 					OtherPod:           cache.ObjectName{Namespace: "ns1", Name: "pod1-mountOption"},
-					OtherPropertyValue: "label1",
+					OtherPropertyValue: "system_u:system_r:label1",
 				},
 			},
 		},
@@ -271,7 +301,7 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 				podNamespace: "ns2",
 				podName:      "pod2-recursive",
 				volumeName:   "vol2",                            // there is no other pod that uses vol2 -> change of policy and label is possible
-				label:        "label-new",                       // was label2 in the original pod2
+				label:        "system_u:system_r:label-new",     // was label2 in the original pod2
 				changePolicy: v1.SELinuxChangePolicyMountOption, // was Recursive in the original pod2
 			},
 			expectedConflicts: nil,
@@ -284,7 +314,7 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 				podNamespace: "ns3",
 				podName:      "pod3-1",
 				volumeName:   "vol3",                            // vol3 is used by pod3-2 with label3 and Recursive policy
-				label:        "label-new",                       // Technically, it's not possible to change a label of an existing pod, but we still check for conflicts
+				label:        "system_u:system_r:label-new",     // Technically, it's not possible to change a label of an existing pod, but we still check for conflicts
 				changePolicy: v1.SELinuxChangePolicyMountOption, // ChangePolicy change can happen when CSIDriver is updated from SELinuxMount: false to SELinuxMount: true
 			},
 			expectedConflicts: []Conflict{
@@ -300,18 +330,88 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 					PropertyName:       "SELinuxLabel",
 					EventReason:        "SELinuxLabelConflict",
 					Pod:                cache.ObjectName{Namespace: "ns3", Name: "pod3-1"},
-					PropertyValue:      "label-new",
+					PropertyValue:      "system_u:system_r:label-new",
 					OtherPod:           cache.ObjectName{Namespace: "ns3", Name: "pod3-2"},
-					OtherPropertyValue: "label3",
+					OtherPropertyValue: "system_u:system_r:label3",
 				},
 			},
 		},
+		{
+			name:        "existing volume in a new pod with existing policy and new incomparable label (missing user and role)",
+			initialPods: existingPods,
+			podToAdd: podWithVolume{
+				podNamespace: "testns",
+				podName:      "testpod",
+				volumeName:   "vol5",
+				label:        "system_u:system_r:label5",
+				changePolicy: v1.SELinuxChangePolicyMountOption,
+			},
+			expectedConflicts: []Conflict{},
+		},
+		{
+			name:        "existing volume in a new pod with conflicting policy with incomparable parts",
+			initialPods: existingPods,
+			podToAdd: podWithVolume{
+				podNamespace: "testns",
+				podName:      "testpod",
+				volumeName:   "vol5",
+				label:        "::label6",
+				changePolicy: v1.SELinuxChangePolicyMountOption,
+			},
+			expectedConflicts: []Conflict{
+				{
+					PropertyName:       "SELinuxLabel",
+					EventReason:        "SELinuxLabelConflict",
+					Pod:                cache.ObjectName{Namespace: "testns", Name: "testpod"},
+					PropertyValue:      "::label6",
+					OtherPod:           cache.ObjectName{Namespace: "ns5", Name: "pod5"},
+					OtherPropertyValue: "::label5",
+				},
+			},
+		},
+		{
+			name:        "existing volume in a new pod with existing policy and new incomparable label (missing user)",
+			initialPods: existingPods,
+			podToAdd: podWithVolume{
+				podNamespace: "testns",
+				podName:      "testpod",
+				volumeName:   "vol6",
+				label:        "system_u::label6",
+				changePolicy: v1.SELinuxChangePolicyMountOption,
+			},
+			expectedConflicts: []Conflict{},
+		},
+		{
+			name:        "existing volume in a new pod with existing policy and new incomparable label (missing categories)",
+			initialPods: existingPods,
+			podToAdd: podWithVolume{
+				podNamespace: "testns",
+				podName:      "testpod",
+				volumeName:   "vol7",
+				label:        "system_u:system_r:label7",
+				changePolicy: v1.SELinuxChangePolicyMountOption,
+			},
+			expectedConflicts: []Conflict{},
+		},
+		{
+			name:        "existing volume in a new pod with existing policy and new incomparable label (missing everything)",
+			initialPods: existingPods,
+			podToAdd: podWithVolume{
+				podNamespace: "testns",
+				podName:      "testpod",
+				volumeName:   "vol8",
+				label:        "system_u:system_r:label8",
+				changePolicy: v1.SELinuxChangePolicyMountOption,
+			},
+			expectedConflicts: []Conflict{},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			logger, dumpLogger := getTestLoggers(t)
 			// Arrange: add initial pods to the cache
-			c := NewVolumeLabelCache().(*volumeCache)
+			seLinuxTranslator := &translator.ControllerSELinuxTranslator{}
+			c := NewVolumeLabelCache(seLinuxTranslator).(*volumeCache)
 			for _, podToAdd := range tt.initialPods {
 				conflicts := c.AddVolume(logger, podToAdd.volumeName, cache.ObjectName{Namespace: podToAdd.podNamespace, Name: podToAdd.podName}, podToAdd.label, podToAdd.changePolicy, "csiDriver1")
 				if len(conflicts) != 0 {
@@ -328,6 +428,7 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 			sortConflicts(expectedConflicts)
 			if !reflect.DeepEqual(conflicts, expectedConflicts) {
 				t.Errorf("AddVolume returned unexpected conflicts: %+v", conflicts)
+				t.Logf("Expected conflicts: %+v", expectedConflicts)
 				c.dump(dumpLogger)
 			}
 			// Expect the pod + volume to be present in the cache
@@ -370,7 +471,8 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 }
 
 func TestVolumeCache_GetPodsForCSIDriver(t *testing.T) {
-	c := NewVolumeLabelCache().(*volumeCache)
+	seLinuxTranslator := &translator.ControllerSELinuxTranslator{}
+	c := NewVolumeLabelCache(seLinuxTranslator).(*volumeCache)
 	logger, dumpLogger := getTestLoggers(t)
 
 	existingPods := map[string][]podWithVolume{

pkg/controller/volume/selinuxwarning/selinux_warning_controller.go

@@ -44,6 +44,7 @@ import (
 	"k8s.io/kubernetes/pkg/controller/volume/attachdetach/util"
 	"k8s.io/kubernetes/pkg/controller/volume/common"
 	volumecache "k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/cache"
+	"k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/translator"
 	"k8s.io/kubernetes/pkg/volume"
 	"k8s.io/kubernetes/pkg/volume/csi"
 	"k8s.io/kubernetes/pkg/volume/csimigration"
@@ -74,7 +75,7 @@ type Controller struct {
 	vpm               *volume.VolumePluginMgr
 	cmpm              csimigration.PluginManager
 	csiTranslator     csimigration.InTreeToCSITranslator
-	seLinuxTranslator volumeutil.SELinuxLabelTranslator
+	seLinuxTranslator *translator.ControllerSELinuxTranslator
 	eventBroadcaster  record.EventBroadcaster
 	eventRecorder     record.EventRecorder
 	queue             workqueue.TypedRateLimitingInterface[cache.ObjectName]
@@ -95,6 +96,8 @@ func NewController(
 
 	eventBroadcaster := record.NewBroadcaster(record.WithContext(ctx))
 	recorder := eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: "selinux_warning"})
+	seLinuxTranslator := &translator.ControllerSELinuxTranslator{}
+
 	c := &Controller{
 		kubeClient:        kubeClient,
 		podLister:         podInformer.Lister(),
@@ -107,7 +110,7 @@ func NewController(
 		csiDriverLister:   csiDriverInformer.Lister(),
 		csiDriversSynced:  csiDriverInformer.Informer().HasSynced,
 		vpm:               &volume.VolumePluginMgr{},
-		seLinuxTranslator: volumeutil.NewSELinuxLabelTranslator(),
+		seLinuxTranslator: seLinuxTranslator,
 
 		eventBroadcaster: eventBroadcaster,
 		eventRecorder:    recorder,
@@ -117,7 +120,7 @@ func NewController(
 				Name: "selinux_warning",
 			},
 		),
-		labelCache: volumecache.NewVolumeLabelCache(),
+		labelCache: volumecache.NewVolumeLabelCache(seLinuxTranslator),
 	}
 
 	err := c.vpm.InitPlugins(plugins, prober, c)