Merge pull request kubernetes#95035 from harche/selinux_kubelet

Add SELinux labels for kubelet on Fedora CoreOS

Author: k8s-ci-robot

test/e2e_node/remote/node_e2e.go

@@ -21,6 +21,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"regexp"
 	"strings"
 	"time"
 
@@ -101,23 +102,57 @@ func prependMemcgNotificationFlag(args string) string {
 	return "--kubelet-flags=--kernel-memcg-notification=true " + args
 }
 
-// updateOSSpecificKubeletFlags updates the Kubelet args with OS specific
-// settings.
-func updateOSSpecificKubeletFlags(args, host, workspace string) (string, error) {
-	output, err := SSH(host, "cat", "/etc/os-release")
+// osSpecificActions takes OS specific actions required for the node tests
+func osSpecificActions(args, host, workspace string) (string, error) {
+	output, err := getOSDistribution(host)
 	if err != nil {
 		return "", fmt.Errorf("issue detecting node's OS via node's /etc/os-release. Err: %v, Output:\n%s", err, output)
 	}
 	switch {
-	case strings.Contains(output, "ID=gci"), strings.Contains(output, "ID=cos"):
+	case strings.Contains(output, "fedora"), strings.Contains(output, "rhcos"),
+		strings.Contains(output, "centos"), strings.Contains(output, "rhel"):
+		return args, setKubeletSELinuxLabels(host, workspace)
+	case strings.Contains(output, "gci"), strings.Contains(output, "cos"):
 		args = prependMemcgNotificationFlag(args)
 		return prependCOSMounterFlag(args, host, workspace)
-	case strings.Contains(output, "ID=ubuntu"):
+	case strings.Contains(output, "ubuntu"):
 		return prependMemcgNotificationFlag(args), nil
 	}
 	return args, nil
 }
 
+// setKubeletSELinuxLabels set the appropriate SELinux labels for the
+// kubelet on Fedora CoreOS distribution
+func setKubeletSELinuxLabels(host, workspace string) error {
+	cmd := getSSHCommand(" && ",
+		fmt.Sprintf("/usr/bin/chcon -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "kubelet")),
+		fmt.Sprintf("/usr/bin/chcon -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "e2e_node.test")),
+		fmt.Sprintf("/usr/bin/chcon -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "ginkgo")),
+		fmt.Sprintf("/usr/bin/chcon -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "mounter")),
+		fmt.Sprintf("/usr/bin/chcon -R -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "cni", "bin/")),
+	)
+	output, err := SSH(host, "sh", "-c", cmd)
+	if err != nil {
+		return fmt.Errorf("Unable to apply SELinux labels. Err: %v, Output:\n%s", err, output)
+	}
+	return nil
+}
+
+func getOSDistribution(host string) (string, error) {
+	output, err := SSH(host, "cat", "/etc/os-release")
+	if err != nil {
+		return "", fmt.Errorf("issue detecting node's OS via node's /etc/os-release. Err: %v, Output:\n%s", err, output)
+	}
+
+	var re = regexp.MustCompile(`(?m)^ID="?(\w+)"?`)
+	subMatch := re.FindStringSubmatch(output)
+	if len(subMatch) > 0 {
+		return subMatch[1], nil
+	}
+
+	return "", fmt.Errorf("Unable to parse os-release for the host, %s", host)
+}
+
 // RunTest runs test on the node.
 func (n *NodeE2ERemote) RunTest(host, workspace, results, imageDesc, junitFilePrefix, testArgs, ginkgoArgs, systemSpecName, extraEnvs string, timeout time.Duration) (string, error) {
 	// Install the cni plugins and add a basic CNI configuration.
@@ -134,7 +169,7 @@ func (n *NodeE2ERemote) RunTest(host, workspace, results, imageDesc, junitFilePr
 	// Kill any running node processes
 	cleanupNodeProcesses(host)
 
-	testArgs, err := updateOSSpecificKubeletFlags(testArgs, host, workspace)
+	testArgs, err := osSpecificActions(testArgs, host, workspace)
 	if err != nil {
 		return "", err
 	}