Merge pull request kubernetes#128242 from jsafrane/selinux-controller

1710: Add SELinux warning controller

Author: k8s-ci-robot

cmd/kube-controller-manager/app/controllermanager.go

@@ -580,6 +580,7 @@ func NewControllerDescriptors() map[string]*ControllerDescriptor {
 	register(newTaintEvictionControllerDescriptor())
 	register(newServiceCIDRsControllerDescriptor())
 	register(newStorageVersionMigratorControllerDescriptor())
+	register(newSELinuxWarningControllerDescriptor())
 
 	for _, alias := range aliases.UnsortedList() {
 		if _, ok := controllers[alias]; ok {

cmd/kube-controller-manager/app/controllermanager_test.go

@@ -96,6 +96,7 @@ func TestControllerNamesDeclaration(t *testing.T) {
 		names.ValidatingAdmissionPolicyStatusController,
 		names.ServiceCIDRController,
 		names.StorageVersionMigratorController,
+		names.SELinuxWarningController,
 	)
 
 	for _, name := range KnownControllers() {

cmd/kube-controller-manager/app/core.go

@@ -27,8 +27,6 @@ import (
 	"strings"
 	"time"
 
-	"k8s.io/klog/v2"
-
 	v1 "k8s.io/api/core/v1"
 	genericfeatures "k8s.io/apiserver/pkg/features"
 	"k8s.io/apiserver/pkg/quota/v1/generic"
@@ -40,6 +38,7 @@ import (
 	"k8s.io/component-base/featuregate"
 	"k8s.io/controller-manager/controller"
 	csitrans "k8s.io/csi-translation-lib"
+	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 	pkgcontroller "k8s.io/kubernetes/pkg/controller"
 	endpointcontroller "k8s.io/kubernetes/pkg/controller/endpoint"
@@ -64,6 +63,7 @@ import (
 	persistentvolumecontroller "k8s.io/kubernetes/pkg/controller/volume/persistentvolume"
 	"k8s.io/kubernetes/pkg/controller/volume/pvcprotection"
 	"k8s.io/kubernetes/pkg/controller/volume/pvprotection"
+	"k8s.io/kubernetes/pkg/controller/volume/selinuxwarning"
 	"k8s.io/kubernetes/pkg/controller/volume/vacprotection"
 	"k8s.io/kubernetes/pkg/features"
 	quotainstall "k8s.io/kubernetes/pkg/quota/v1/install"
@@ -141,7 +141,7 @@ func startNodeIpamController(ctx context.Context, controllerContext ControllerCo
 		// should be dual stack (from different IPFamilies)
 		dualstackServiceCIDR, err := netutils.IsDualStackCIDRs([]*net.IPNet{serviceCIDR, secondaryServiceCIDR})
 		if err != nil {
-			return nil, false, fmt.Errorf("failed to perform dualstack check on serviceCIDR and secondaryServiceCIDR error:%v", err)
+			return nil, false, fmt.Errorf("failed to perform dualstack check on serviceCIDR and secondaryServiceCIDR error: %w", err)
 		}
 		if !dualstackServiceCIDR {
 			return nil, false, fmt.Errorf("serviceCIDR and secondaryServiceCIDR are not dualstack (from different IPfamiles)")
@@ -891,3 +891,44 @@ func startStorageVersionGarbageCollectorController(ctx context.Context, controll
 	).Run(ctx)
 	return nil, true, nil
 }
+
+func newSELinuxWarningControllerDescriptor() *ControllerDescriptor {
+	return &ControllerDescriptor{
+		name:                names.SELinuxWarningController,
+		initFunc:            startSELinuxWarningController,
+		isDisabledByDefault: true,
+		requiredFeatureGates: []featuregate.Feature{
+			features.SELinuxChangePolicy,
+		},
+	}
+}
+
+func startSELinuxWarningController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.SELinuxChangePolicy) {
+		return nil, false, nil
+	}
+
+	logger := klog.FromContext(ctx)
+	csiDriverInformer := controllerContext.InformerFactory.Storage().V1().CSIDrivers()
+	plugins, err := ProbePersistentVolumePlugins(logger, controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration)
+	if err != nil {
+		return nil, true, fmt.Errorf("failed to probe volume plugins when starting SELinux warning controller: %w", err)
+	}
+
+	seLinuxController, err :=
+		selinuxwarning.NewController(
+			ctx,
+			controllerContext.ClientBuilder.ClientOrDie(controllerName),
+			controllerContext.InformerFactory.Core().V1().Pods(),
+			controllerContext.InformerFactory.Core().V1().PersistentVolumeClaims(),
+			controllerContext.InformerFactory.Core().V1().PersistentVolumes(),
+			csiDriverInformer,
+			plugins,
+			GetDynamicPluginProber(controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration),
+		)
+	if err != nil {
+		return nil, true, fmt.Errorf("failed to start SELinux warning controller: %w", err)
+	}
+	go seLinuxController.Run(ctx, 1)
+	return nil, true, nil
+}

cmd/kube-controller-manager/app/plugins.go

@@ -79,6 +79,11 @@ func ProbeProvisionableRecyclableVolumePlugins(logger klog.Logger, config persis
 	})
 }
 
+// ProbePersistentVolumePlugins collects all volume plugins that are actually persistent.
+func ProbePersistentVolumePlugins(logger klog.Logger, config persistentvolumeconfig.VolumeConfiguration) ([]volume.VolumePlugin, error) {
+	return probeControllerVolumePlugins(logger, config, nil)
+}
+
 // probeControllerVolumePlugins collects all persistent volume plugins
 // used by KCM controllers into an easy to use list.
 func probeControllerVolumePlugins(logger klog.Logger, config persistentvolumeconfig.VolumeConfiguration, filter func(plugin volume.VolumePlugin) bool) ([]volume.VolumePlugin, error) {

cmd/kube-controller-manager/names/controller_names.go

@@ -85,4 +85,5 @@ const (
 	VolumeAttributesClassProtectionController    = "volumeattributesclass-protection-controller"
 	ServiceCIDRController                        = "service-cidr-controller"
 	StorageVersionMigratorController             = "storage-version-migrator-controller"
+	SELinuxWarningController                     = "selinux-warning-controller"
 )

pkg/controller/volume/attachdetach/attach_detach_controller.go

@@ -437,7 +437,7 @@ func (adc *attachDetachController) populateDesiredStateOfWorld(logger klog.Logge
 			// The volume specs present in the ActualStateOfWorld are nil, let's replace those
 			// with the correct ones found on pods. The present in the ASW with no corresponding
 			// pod will be detached and the spec is irrelevant.
-			volumeSpec, err := util.CreateVolumeSpec(logger, podVolume, podToAdd, nodeName, &adc.volumePluginMgr, adc.pvcLister, adc.pvLister, adc.csiMigratedPluginManager, adc.intreeToCSITranslator)
+			volumeSpec, err := util.CreateVolumeSpecWithNodeMigration(logger, podVolume, podToAdd, nodeName, &adc.volumePluginMgr, adc.pvcLister, adc.pvLister, adc.csiMigratedPluginManager, adc.intreeToCSITranslator)
 			if err != nil {
 				logger.Error(
 					err,

pkg/controller/volume/attachdetach/metrics/metrics.go

@@ -181,7 +181,7 @@ func (collector *attachDetachStateCollector) getVolumeInUseCount(logger klog.Log
 			continue
 		}
 		for _, podVolume := range pod.Spec.Volumes {
-			volumeSpec, err := util.CreateVolumeSpec(logger, podVolume, pod, types.NodeName(pod.Spec.NodeName), collector.volumePluginMgr, collector.pvcLister, collector.pvLister, collector.csiMigratedPluginManager, collector.intreeToCSITranslator)
+			volumeSpec, err := util.CreateVolumeSpecWithNodeMigration(logger, podVolume, pod, types.NodeName(pod.Spec.NodeName), collector.volumePluginMgr, collector.pvcLister, collector.pvLister, collector.csiMigratedPluginManager, collector.intreeToCSITranslator)
 			if err != nil {
 				continue
 			}

pkg/controller/volume/attachdetach/util/util.go

@@ -33,12 +33,7 @@ import (
 	"k8s.io/kubernetes/pkg/volume/util"
 )
 
-// CreateVolumeSpec creates and returns a mutatable volume.Spec object for the
-// specified volume. It dereference any PVC to get PV objects, if needed.
-// A volume.Spec that refers to an in-tree plugin spec is translated to refer
-// to a migrated CSI plugin spec if all conditions for CSI migration on a node
-// for the in-tree plugin is satisfied.
-func CreateVolumeSpec(logger klog.Logger, podVolume v1.Volume, pod *v1.Pod, nodeName types.NodeName, vpm *volume.VolumePluginMgr, pvcLister corelisters.PersistentVolumeClaimLister, pvLister corelisters.PersistentVolumeLister, csiMigratedPluginManager csimigration.PluginManager, csiTranslator csimigration.InTreeToCSITranslator) (*volume.Spec, error) {
+func createInTreeVolumeSpec(logger klog.Logger, podVolume *v1.Volume, pod *v1.Pod, vpm *volume.VolumePluginMgr, pvcLister corelisters.PersistentVolumeClaimLister, pvLister corelisters.PersistentVolumeLister, csiMigratedPluginManager csimigration.PluginManager, csiTranslator csimigration.InTreeToCSITranslator) (*volume.Spec, string, error) {
 	claimName := ""
 	readOnly := false
 	if pvcSource := podVolume.VolumeSource.PersistentVolumeClaim; pvcSource != nil {
@@ -47,67 +42,83 @@ func CreateVolumeSpec(logger klog.Logger, podVolume v1.Volume, pod *v1.Pod, node
 	}
 	isEphemeral := podVolume.VolumeSource.Ephemeral != nil
 	if isEphemeral {
-		claimName = ephemeral.VolumeClaimName(pod, &podVolume)
+		claimName = ephemeral.VolumeClaimName(pod, podVolume)
+	}
+	if claimName == "" {
+		// In-line volume
+		return volume.NewSpecFromVolume(podVolume), "", nil
 	}
-	if claimName != "" {
-		logger.V(10).Info("Found PVC", "PVC", klog.KRef(pod.Namespace, claimName))
+	// The volume is a PVC, dereference the PVC + PV
+	logger.V(10).Info("Found PVC", "PVC", klog.KRef(pod.Namespace, claimName))
 
-		// If podVolume is a PVC, fetch the real PV behind the claim
-		pvc, err := getPVCFromCache(pod.Namespace, claimName, pvcLister)
-		if err != nil {
-			return nil, fmt.Errorf(
-				"error processing PVC %q/%q: %v",
-				pod.Namespace,
-				claimName,
-				err)
-		}
-		if isEphemeral {
-			if err := ephemeral.VolumeIsForPod(pod, pvc); err != nil {
-				return nil, err
-			}
+	// If podVolume is a PVC, fetch the real PV behind the claim
+	pvc, err := getPVCFromCache(pod.Namespace, claimName, pvcLister)
+	if err != nil {
+		return nil, claimName, fmt.Errorf(
+			"error processing PVC %q/%q: %w",
+			pod.Namespace,
+			claimName,
+			err)
+	}
+	if isEphemeral {
+		if err := ephemeral.VolumeIsForPod(pod, pvc); err != nil {
+			return nil, claimName, err
 		}
+	}
 
-		pvName, pvcUID := pvc.Spec.VolumeName, pvc.UID
-		logger.V(10).Info("Found bound PV for PVC", "PVC", klog.KRef(pod.Namespace, claimName), "pvcUID", pvcUID, "PV", klog.KRef("", pvName))
-
-		// Fetch actual PV object
-		volumeSpec, err := getPVSpecFromCache(
-			pvName, readOnly, pvcUID, pvLister)
-		if err != nil {
-			return nil, fmt.Errorf(
-				"error processing PVC %q/%q: %v",
-				pod.Namespace,
-				claimName,
-				err)
-		}
+	pvName, pvcUID := pvc.Spec.VolumeName, pvc.UID
+	logger.V(10).Info("Found bound PV for PVC", "PVC", klog.KRef(pod.Namespace, claimName), "pvcUID", pvcUID, "PV", klog.KRef("", pvName))
 
-		volumeSpec, err = translateInTreeSpecToCSIIfNeeded(logger, volumeSpec, nodeName, vpm, csiMigratedPluginManager, csiTranslator, pod.Namespace)
-		if err != nil {
-			return nil, fmt.Errorf(
-				"error performing CSI migration checks and translation for PVC %q/%q: %v",
-				pod.Namespace,
-				claimName,
-				err)
-		}
+	// Fetch actual PV object
+	volumeSpec, err := getPVSpecFromCache(
+		pvName, readOnly, pvcUID, pvLister)
+	if err != nil {
+		return nil, claimName, fmt.Errorf(
+			"error processing PVC %q/%q: %w",
+			pod.Namespace,
+			claimName,
+			err)
+	}
 
-		logger.V(10).Info("Extracted volumeSpec from bound PV and PVC", "PVC", klog.KRef(pod.Namespace, claimName), "pvcUID", pvcUID, "PV", klog.KRef("", pvName), "volumeSpecName", volumeSpec.Name())
+	logger.V(10).Info("Extracted volumeSpec from bound PV and PVC", "PVC", klog.KRef(pod.Namespace, claimName), "pvcUID", pvcUID, "PV", klog.KRef("", pvName), "volumeSpecName", volumeSpec.Name())
+	return volumeSpec, claimName, nil
+}
 
-		return volumeSpec, nil
+func CreateVolumeSpec(logger klog.Logger, podVolume v1.Volume, pod *v1.Pod, vpm *volume.VolumePluginMgr, pvcLister corelisters.PersistentVolumeClaimLister, pvLister corelisters.PersistentVolumeLister, csiMigratedPluginManager csimigration.PluginManager, csiTranslator csimigration.InTreeToCSITranslator) (*volume.Spec, error) {
+	volumeSpec, claimName, err := createInTreeVolumeSpec(logger, &podVolume, pod, vpm, pvcLister, pvLister, csiMigratedPluginManager, csiTranslator)
+	if err != nil {
+		return nil, err
 	}
+	volumeSpec, err = translateInTreeSpecToCSIIfNeeded(logger, volumeSpec, vpm, csiMigratedPluginManager, csiTranslator, pod.Namespace)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"error performing CSI migration checks and translation for PVC %q/%q: %w",
+			pod.Namespace,
+			claimName,
+			err)
+	}
+	return volumeSpec, nil
+}
 
-	// Do not return the original volume object, since it's from the shared
-	// informer it may be mutated by another consumer.
-	clonedPodVolume := podVolume.DeepCopy()
-
-	origspec := volume.NewSpecFromVolume(clonedPodVolume)
-	spec, err := translateInTreeSpecToCSIIfNeeded(logger, origspec, nodeName, vpm, csiMigratedPluginManager, csiTranslator, pod.Namespace)
+// CreateVolumeSpec creates and returns a mutatable volume.Spec object for the
+// specified volume. It dereference any PVC to get PV objects, if needed.
+// A volume.Spec that refers to an in-tree plugin spec is translated to refer
+// to a migrated CSI plugin spec if all conditions for CSI migration on a node
+// for the in-tree plugin is satisfied.
+func CreateVolumeSpecWithNodeMigration(logger klog.Logger, podVolume v1.Volume, pod *v1.Pod, nodeName types.NodeName, vpm *volume.VolumePluginMgr, pvcLister corelisters.PersistentVolumeClaimLister, pvLister corelisters.PersistentVolumeLister, csiMigratedPluginManager csimigration.PluginManager, csiTranslator csimigration.InTreeToCSITranslator) (*volume.Spec, error) {
+	volumeSpec, claimName, err := createInTreeVolumeSpec(logger, &podVolume, pod, vpm, pvcLister, pvLister, csiMigratedPluginManager, csiTranslator)
+	if err != nil {
+		return nil, err
+	}
+	volumeSpec, err = translateInTreeSpecToCSIOnNodeIfNeeded(logger, volumeSpec, nodeName, vpm, csiMigratedPluginManager, csiTranslator, pod.Namespace)
 	if err != nil {
 		return nil, fmt.Errorf(
-			"error performing CSI migration checks and translation for inline volume %q: %v",
-			podVolume.Name,
+			"error performing CSI migration checks and translation for PVC %q/%q: %w",
+			pod.Namespace,
+			claimName,
 			err)
 	}
-	return spec, nil
+	return volumeSpec, nil
 }
 
 // getPVCFromCache fetches the PVC object with the given namespace and
@@ -144,7 +155,6 @@ func getPVSpecFromCache(name string, pvcReadOnly bool, expectedClaimUID types.UI
 	if err != nil {
 		return nil, fmt.Errorf("failed to find PV %q in PVInformer cache: %v", name, err)
 	}
-
 	if pv.Spec.ClaimRef == nil {
 		return nil, fmt.Errorf(
 			"found PV object %q but it has a nil pv.Spec.ClaimRef indicating it is not yet bound to the claim",
@@ -204,7 +214,7 @@ func ProcessPodVolumes(logger klog.Logger, pod *v1.Pod, addVolumes bool, desired
 
 	// Process volume spec for each volume defined in pod
 	for _, podVolume := range pod.Spec.Volumes {
-		volumeSpec, err := CreateVolumeSpec(logger, podVolume, pod, nodeName, volumePluginMgr, pvcLister, pvLister, csiMigratedPluginManager, csiTranslator)
+		volumeSpec, err := CreateVolumeSpecWithNodeMigration(logger, podVolume, pod, nodeName, volumePluginMgr, pvcLister, pvLister, csiMigratedPluginManager, csiTranslator)
 		if err != nil {
 			logger.V(10).Info("Error processing volume for pod", "pod", klog.KObj(pod), "volumeName", podVolume.Name, "err", err)
 			continue
@@ -240,7 +250,7 @@ func ProcessPodVolumes(logger klog.Logger, pod *v1.Pod, addVolumes bool, desired
 	}
 }
 
-func translateInTreeSpecToCSIIfNeeded(logger klog.Logger, spec *volume.Spec, nodeName types.NodeName, vpm *volume.VolumePluginMgr, csiMigratedPluginManager csimigration.PluginManager, csiTranslator csimigration.InTreeToCSITranslator, podNamespace string) (*volume.Spec, error) {
+func translateInTreeSpecToCSIOnNodeIfNeeded(logger klog.Logger, spec *volume.Spec, nodeName types.NodeName, vpm *volume.VolumePluginMgr, csiMigratedPluginManager csimigration.PluginManager, csiTranslator csimigration.InTreeToCSITranslator, podNamespace string) (*volume.Spec, error) {
 	translatedSpec := spec
 	migratable, err := csiMigratedPluginManager.IsMigratable(spec)
 	if err != nil {
@@ -263,6 +273,22 @@ func translateInTreeSpecToCSIIfNeeded(logger klog.Logger, spec *volume.Spec, nod
 	return translatedSpec, nil
 }
 
+func translateInTreeSpecToCSIIfNeeded(logger klog.Logger, spec *volume.Spec, vpm *volume.VolumePluginMgr, csiMigratedPluginManager csimigration.PluginManager, csiTranslator csimigration.InTreeToCSITranslator, podNamespace string) (*volume.Spec, error) {
+	migratable, err := csiMigratedPluginManager.IsMigratable(spec)
+	if err != nil {
+		return nil, err
+	}
+	if !migratable {
+		// Jump out of translation fast so we don't check the node if the spec itself is not migratable
+		return spec, nil
+	}
+	translatedSpec, err := csimigration.TranslateInTreeSpecToCSI(logger, spec, podNamespace, csiTranslator)
+	if err != nil {
+		return nil, err
+	}
+	return translatedSpec, nil
+}
+
 func isCSIMigrationSupportedOnNode(nodeName types.NodeName, spec *volume.Spec, vpm *volume.VolumePluginMgr, csiMigratedPluginManager csimigration.PluginManager) (bool, error) {
 	pluginName, err := csiMigratedPluginManager.GetInTreePluginNameFromSpec(spec.PersistentVolume, spec.Volume)
 	if err != nil {

pkg/controller/volume/attachdetach/util/util_test.go

@@ -243,7 +243,7 @@ func Test_CreateVolumeSpec(t *testing.T) {
 		t.Run(test.desc, func(t *testing.T) {
 			logger, _ := ktesting.NewTestContext(t)
 			plugMgr, intreeToCSITranslator, csiTranslator, pvLister, pvcLister := setup(testNodeName, t)
-			actualSpec, err := CreateVolumeSpec(logger, test.pod.Spec.Volumes[0], test.pod, test.createNodeName, plugMgr, pvcLister, pvLister, intreeToCSITranslator, csiTranslator)
+			actualSpec, err := CreateVolumeSpecWithNodeMigration(logger, test.pod.Spec.Volumes[0], test.pod, test.createNodeName, plugMgr, pvcLister, pvLister, intreeToCSITranslator, csiTranslator)
 
 			if actualSpec == nil && (test.wantPersistentVolume != nil || test.wantVolume != nil) {
 				t.Errorf("got volume spec is nil")

pkg/controller/volume/selinuxwarning/cache/conflict.go

@@ -0,0 +1,52 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"fmt"
+
+	"k8s.io/client-go/tools/cache"
+)
+
+// A single conflict between two Pods using the same volume with different SELinux labels or policies.
+// Event should be sent to both of them.
+type Conflict struct {
+	// Human-readable name of the conflicting property + value of "property" label of selinux_volume_conflict metric.
+	PropertyName string
+	// Reason for the event, to be set as the Event.Reason field.
+	EventReason string
+
+	// Pod to generate the event on
+	Pod           cache.ObjectName
+	PropertyValue string
+	// only for logging / messaging
+	OtherPod           cache.ObjectName
+	OtherPropertyValue string
+}
+
+// Generate a message about this conflict.
+func (c *Conflict) EventMessage() string {
+	// Quote the values for better readability.
+	value := "\"" + c.PropertyValue + "\""
+	otherValue := "\"" + c.OtherPropertyValue + "\""
+	if c.Pod.Namespace == c.OtherPod.Namespace {
+		// In the same namespace, be very specific about the pod names.
+		return fmt.Sprint(c.PropertyName, " ", value, " conflicts with pod ", c.OtherPod.Name, " that uses the same volume as this pod with ", c.PropertyName, " ", otherValue, ". If both pods land on the same node, only one of them may access the volume.")
+	}
+	// Pods are in different namespaces, do not reveal the other namespace or pod name.
+	return fmt.Sprint(c.PropertyName, value, " conflicts with another pod that uses the same volume as this pod with a different ", c.PropertyName, ". If both pods land on the same node, only one of them may access the volume.")
+}