Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Skip volume relabel for super privileged containers #5386

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 1 commit into from
Oct 13, 2021
Merged

Skip volume relabel for super privileged containers #5386

openshift-merge-robot merged 1 commit into from
Oct 13, 2021

Conversation

@saschagrunert
Copy link
Member

@saschagrunert saschagrunert commented Oct 8, 2021
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

If a container or pod specifies the SELinux type spc_t, then we skip the volume relabel.

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

cc @mrunalp

Does this PR introduce a user-facing change?

Skip SELinux volume relabeling for super privileged containers (`securityContext.seLinuxOptions.type = "spc_t"`).

@openshift-ci openshift-ci bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/feature Categorizes issue or PR as related to a new feature. labels Oct 8, 2021
@openshift-ci openshift-ci bot requested a review from sboeuf October 8, 2021 08:28
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 8, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 8, 2021
@saschagrunert saschagrunert force-pushed the skip-relabel-spc_t branch 3 times, most recently from 2cb85dc to 4cd7598 Compare October 8, 2021 08:32
@codecov
Copy link

codecov bot commented Oct 8, 2021
edited
Loading

Codecov Report

Merging #5386 (15f968a) into main (25c9823) will decrease coverage by 0.04%.
The diff coverage is 8.33%.

❗ Current head 15f968a differs from pull request most recent head 13182e6. Consider uploading reports for the commit 13182e6 to get more accurate results

@@            Coverage Diff             @@
##             main    #5386      +/-   ##
==========================================
- Coverage   43.73%   43.69%   -0.05%     
==========================================
  Files         118      118              
  Lines       11749    11757       +8     
==========================================
- Hits         5139     5137       -2     
- Misses       6122     6132      +10     
  Partials      488      488

@haircommander
Copy link
Member

haircommander commented Oct 8, 2021

thanks! I am wondering if we need the allowed_annotation here. If the container can access the volume regardless of it being labeled, then the behavior won't change whether we allow it or not 🤔

@saschagrunert
Copy link
Member Author

saschagrunert commented Oct 11, 2021

/retest

@saschagrunert
Copy link
Member Author

saschagrunert commented Oct 11, 2021
edited
Loading

I think the integration tests are not working as expected.

@saschagrunert saschagrunert force-pushed the skip-relabel-spc_t branch 2 times, most recently from cc3d3d9 to 39f4c4a Compare October 11, 2021 10:17
@saschagrunert
Copy link
Member Author

saschagrunert commented Oct 11, 2021

/test integration_rhel

rhatdan
rhatdan reviewed Oct 11, 2021
View reviewed changes
@rhatdan
Copy link
Contributor

rhatdan commented Oct 11, 2021

I don't think the function should take a paramater to just not relabel, just don't call it in that case.

@saschagrunert
Copy link
Member Author

saschagrunert commented Oct 11, 2021

/retest

haircommander
haircommander reviewed Oct 11, 2021
View reviewed changes
@saschagrunert
Copy link
Member Author

saschagrunert commented Oct 13, 2021

Requires #5400

@saschagrunert
Skip volume relabel for super privileged containers
13182e6 
If a container or pod specifies the SELinux type `spc_t`, then we skip
the volume relabel.

Signed-off-by: Sascha Grunert <[email protected]>
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 13, 2021
edited
Loading

@saschagrunert: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/openshift-jenkins/e2e_crun_cgroupv2 ac4f1de link false /test e2e_cgroupv2
ci/openshift-jenkins/integration_crun_cgroupv2 13182e6 link false /test integration_cgroupv2

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@haircommander
Copy link
Member

haircommander commented Oct 13, 2021

/test ci/prow/e2e-gcp

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 13, 2021

@haircommander: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test ami_fedora
  • /test ami_rhel
  • /test critest_fedora
  • /test critest_rhel
  • /test e2e-agnostic
  • /test e2e-gcp
  • /test e2e_crun
  • /test e2e_features_fedora
  • /test e2e_features_rhel
  • /test e2e_fedora
  • /test e2e_rhel
  • /test images
  • /test integration_crun
  • /test integration_fedora
  • /test integration_rhel
  • /test kata-containers

The following commands are available to trigger optional jobs:

  • /test e2e_cgroupv2
  • /test integration_cgroupv2

Use /test all to run the following jobs that were automatically triggered:

  • kata-containers-2-crio-PR
  • pull-ci-cri-o-cri-o-main-e2e-agnostic
  • pull-ci-cri-o-cri-o-main-e2e-gcp
  • pull-ci-cri-o-cri-o-main-images
  • test_pull_request_crio_critest_fedora
  • test_pull_request_crio_critest_rhel
  • test_pull_request_crio_e2e_crun_fedora
  • test_pull_request_crio_e2e_crun_fedora_cgroupv2
  • test_pull_request_crio_e2e_features_fedora
  • test_pull_request_crio_e2e_features_rhel
  • test_pull_request_crio_e2e_fedora
  • test_pull_request_crio_e2e_rhel
  • test_pull_request_crio_integration_crun_fedora
  • test_pull_request_crio_integration_crun_fedora_cgroupv2
  • test_pull_request_crio_integration_fedora
  • test_pull_request_crio_integration_rhel
Details

In response to this:

/test ci/prow/e2e-gcp

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@haircommander
Copy link
Member

haircommander commented Oct 13, 2021

/test e2e-gcp

@haircommander
Copy link
Member

haircommander commented Oct 13, 2021

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 13, 2021
@openshift-merge-robot openshift-merge-robot merged commit b0d0341 into cri-o:main Oct 13, 2021
@haircommander haircommander mentioned this pull request Oct 13, 2021
Merged
@saschagrunert saschagrunert deleted the skip-relabel-spc_t branch October 14, 2021 07:34
@saschagrunert saschagrunert mentioned this pull request Oct 19, 2021
Merged
@openshift-ci openshift-ci bot mentioned this pull request Oct 21, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhatdan rhatdan rhatdan left review comments

@haircommander haircommander haircommander left review comments

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@runcom runcom Awaiting requested review from runcom

@sboeuf sboeuf Awaiting requested review from sboeuf

Assignees

@haircommander haircommander

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@saschagrunert @haircommander @rhatdan @openshift-merge-robot