Merge pull request kubernetes#73241 from vikaschoudhary16/selinux-label

Add correct selinux label at plugin socket directory

Author: k8s-ci-robot

pkg/kubelet/BUILD

@@ -106,6 +106,7 @@ go_library(
         "//pkg/util/node:go_default_library",
         "//pkg/util/oom:go_default_library",
         "//pkg/util/removeall:go_default_library",
+        "//pkg/util/selinux:go_default_library",
         "//pkg/util/taints:go_default_library",
         "//pkg/volume:go_default_library",
         "//pkg/volume/csi:go_default_library",

pkg/kubelet/cm/devicemanager/BUILD

@@ -26,6 +26,7 @@ go_library(
         "//pkg/kubelet/metrics:go_default_library",
         "//pkg/kubelet/util/pluginwatcher:go_default_library",
         "//pkg/scheduler/nodeinfo:go_default_library",
+        "//pkg/util/selinux:go_default_library",
         "//staging/src/k8s.io/api/core/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/resource:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",

pkg/kubelet/cm/devicemanager/manager.go

@@ -42,6 +42,7 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/metrics"
 	watcher "k8s.io/kubernetes/pkg/kubelet/util/pluginwatcher"
 	schedulernodeinfo "k8s.io/kubernetes/pkg/scheduler/nodeinfo"
+	"k8s.io/kubernetes/pkg/util/selinux"
 )
 
 // ActivePodsFunc is a function that returns a list of pods to reconcile.
@@ -206,6 +207,11 @@ func (m *ManagerImpl) Start(activePods ActivePodsFunc, sourcesReady config.Sourc
 
 	socketPath := filepath.Join(m.socketdir, m.socketname)
 	os.MkdirAll(m.socketdir, 0755)
+	if selinux.SELinuxEnabled() {
+		if err := selinux.SetFileLabel(m.socketdir, config.KubeletPluginsDirSELinuxLabel); err != nil {
+			klog.Warningf("Unprivileged containerized plugins might not work. Could not set selinux context on %s: %v", m.socketdir, err)
+		}
+	}
 
 	// Removes all stale sockets in m.socketdir. Device plugins can monitor
 	// this and use it as a signal to re-register with the new Kubelet.

pkg/kubelet/config/defaults.go

@@ -26,4 +26,5 @@ const (
 	DefaultKubeletContainersDirName          = "containers"
 	DefaultKubeletPluginContainersDirName    = "plugin-containers"
 	DefaultKubeletPodResourcesDirName        = "pod-resources"
+	KubeletPluginsDirSELinuxLabel            = "system_u:object_r:container_file_t:s0"
 )

pkg/kubelet/kubelet.go

@@ -110,6 +110,7 @@ import (
 	"k8s.io/kubernetes/pkg/util/mount"
 	nodeutil "k8s.io/kubernetes/pkg/util/node"
 	"k8s.io/kubernetes/pkg/util/oom"
+	"k8s.io/kubernetes/pkg/util/selinux"
 	"k8s.io/kubernetes/pkg/volume"
 	"k8s.io/kubernetes/pkg/volume/csi"
 	"k8s.io/kubernetes/pkg/volume/util/subpath"
@@ -1222,6 +1223,8 @@ type Kubelet struct {
 // 4.  the pod-resources directory
 func (kl *Kubelet) setupDataDirs() error {
 	kl.rootDirectory = path.Clean(kl.rootDirectory)
+	pluginRegistrationDir := kl.getPluginsRegistrationDir()
+	pluginsDir := kl.getPluginsDir()
 	if err := os.MkdirAll(kl.getRootDir(), 0750); err != nil {
 		return fmt.Errorf("error creating root directory: %v", err)
 	}
@@ -1240,6 +1243,16 @@ func (kl *Kubelet) setupDataDirs() error {
 	if err := os.MkdirAll(kl.getPodResourcesDir(), 0750); err != nil {
 		return fmt.Errorf("error creating podresources directory: %v", err)
 	}
+	if selinux.SELinuxEnabled() {
+		err := selinux.SetFileLabel(pluginRegistrationDir, config.KubeletPluginsDirSELinuxLabel)
+		if err != nil {
+			klog.Warningf("Unprivileged containerized plugins might not work. Could not set selinux context on %s: %v", pluginRegistrationDir, err)
+		}
+		err = selinux.SetFileLabel(pluginsDir, config.KubeletPluginsDirSELinuxLabel)
+		if err != nil {
+			klog.Warningf("Unprivileged containerized plugins might not work. Could not set selinux context on %s: %v", pluginsDir, err)
+		}
+	}
 	return nil
 }
 

pkg/kubelet/kubelet_getters.go

@@ -159,6 +159,11 @@ func (kl *Kubelet) getPodResourcesDir() string {
 	return filepath.Join(kl.getRootDir(), config.DefaultKubeletPodResourcesDirName)
 }
 
+// getPluginsDirSELinuxLabel returns the selinux label to be applied on plugin directories
+func (kl *Kubelet) getPluginsDirSELinuxLabel() string {
+	return config.KubeletPluginsDirSELinuxLabel
+}
+
 // GetPods returns all pods bound to the kubelet and their spec, and the mirror
 // pods.
 func (kl *Kubelet) GetPods() []*v1.Pod {

pkg/util/selinux/selinux_linux.go

@@ -50,3 +50,8 @@ func (_ *realSELinuxRunner) Getfilecon(path string) (string, error) {
 	}
 	return selinux.FileLabel(path)
 }
+
+// SetFileLabel applies the SELinux label on the path or returns an error.
+func SetFileLabel(path string, label string) error {
+	return selinux.SetFileLabel(path, label)
+}

pkg/util/selinux/selinux_unsupported.go

@@ -31,3 +31,8 @@ var _ SELinuxRunner = &realSELinuxRunner{}
 func (_ *realSELinuxRunner) Getfilecon(path string) (string, error) {
 	return "", nil
 }
+
+// FileLabel returns the SELinux label for this path or returns an error.
+func SetFileLabel(path string, label string) error {
+	return nil
+}