Optionally run e2e pod as privileged for SELinux

[bertinatto]

This PR adds back the SecurityContext field missed during the consolidation of redundant code in #79730.

Also, it only runs the pod as privileged if the system has SELinux enabled and the volume isn't block (due to moby/moby#35991).

What type of PR is this?

/kind flake

What this PR does / why we need it:

This is necessary for running some e2e tests on SELinux systems.

Does this PR introduce a user-facing change?:

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

/sig storage
CC @jsafrane @msau42

[neolit123]

/approve
/retest

[msau42]

How come this one is false and the other is true?

Can we also make privileged a configurable parameter? I would like to be able to have most e2es not use privileged pods if the system doesn't support SELinux: #80186

[bertinatto]

I can do that, but because of #83727 (comment), we may have to go privileged if the system supports SELinux and the volume is not block.

[bertinatto]

Can we also make privileged a configurable parameter?

So I figured this is a bit tricky to solve. These are the possible solutions that I thought about and their problems:

1. Make pods privileged:
   • We don't want this, specially where they are not required (on non-SELinux systems)
2. Make pods unprivileged and add label svirt_sandbox_file_t to node dirs where pods manipulate data (currently it's /tmp for hostPath)
   • Need to manually chcon -R -t svirt_sandbox_file_t /dir_where_container_writes_files in the host where test runs
3. Detect if node, where test is running, has SELinux enabled and make the pod privileged
   • I attempted this one, but it's tricky because we don't always know the node where the pod is going to be scheduled (so we could send `getenforcea command there and
4. Have an env variable that toggles privileged
   • Not sure if this is a good idea, it needs to be toggled manually
     • It's not node-specific

Are there other alternatives?

[bertinatto]

Two jobs are failing because of a docker issue that prevents a privileged pod from mapping devices:

$ docker versioni

Client:
 Version:           18.09.9
 API version:       1.39
 Go version:        go1.11.13
 Git commit:        039a7df9ba
 Built:             Wed Sep  4 16:51:52 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.9
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.11.13
  Git commit:       039a7df
  Built:            Wed Sep  4 16:22:32 2019
  OS/Arch:          linux/amd64
  Experimental:     false

$ docker run -w /opt  --rm -it --device=/dev/console:/opt/10 busybox /bin/sh -c 'ls -l /opt/'
total 0
crw-------    1 root     root        5,   1 Oct 11 12:27 10
 
$ docker run -w /opt  --privileged --rm -it --device=/dev/console:/opt/10 busybox /bin/sh -c 'ls -l /opt/'
total 0

[bertinatto]

This needs to be replaced by something else because it doesn't detect if SELinux is enabled on the host

[alejandrox1]

@bertinatto could you please create an issue for this action item ?

[bertinatto]

Sure, I'll create an issue as soon as I figure this out

[alejandrox1]

/priority important-soon
/milestone v1.17

[bertinatto]

/retest

[msau42]

/assign @jingxu97
to check impact on windows tests

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bertinatto, neolit123

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• test/e2e/framework/volume/OWNERS [neolit123]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jingxu97]

Does mean for block volume, we cannot set SELinux enabled?

[bertinatto]

Actually, for block volume, we cannot make the container privileged. Specially if the container runtime is docker (due to the bug below).

[bertinatto]

To clarify, it shouldn't be a problem to run the test with a unprivileged container for block volumes.

The reason we make it privileged for FS volumes is that the test writes data to the host's /tmp directory, which is not the case for block volumes.

[msau42]

Is there another directory we can safely write to that does not require privileged?

[bertinatto]

Is there another directory we can safely write to that does not require privileged?

Not that I'm aware of.

By default, containers can only RW to files/directories labeled svirt_sandbox_file_t. So if a process breaks out of the container, it won't be able to change the host FS.

We could add the label above to a pre-defined directory, say /tmp/k8s-e2e, and change the test to read/write data there, rather than the default /tmp. See my comment #83727 (comment). I've tried this and it worked.

[bertinatto]

The downside of the approach above is that we need to change the test bootstrap to do chcon -R -t svirt_sandbox_file_t /tmp/k8s-e2e in the host before running the test.

I don't know if we are able to do that, however, this is IMO the right approach to solve our SELinux issues in e2e tests.

[msau42]

I would prefer we look into this approach of prepping a special test directory first if the environment uses SELinux. That way we can remove the privileged setting on many tests (and maybe be able to add them to the conformance suite). But this is sufficient for now.

[bertinatto]

Just to clarify: we can remove the privileged setting if we prep a special test directory on SELinux environments. All containers would run as unprivileged.

FYI, I created the issue #84585 to track this.

[jingxu97]

I think we cannot set this to true for all cases. For example, for windows, we cannot run privileged container.

[bertinatto]

Added a check for Windows

[bertinatto]

@jingxu97, PTAL

[bertinatto]

Actually, for block volume, we cannot make the container privileged. Specially if the container runtime is docker (due to the bug below).

[bertinatto]

Added a check for Windows

[kikisdeliveryservice]

Bug Triage Release Team checking in. Code freeze for the 1.17 release is on November 14. Is this still intended for 1.17? Thanks!

[timothysc]

/assign @BCLAU @timothysc

@BCLAU - could you verify that this will work for windows use cases?

[claudiubelu]

/assign @BCLAU @timothysc

@BCLAU - could you verify that this will work for windows use cases?

As far as this PR goes, lgtm. The only case where privileged could be true, it has been treated and set to false for windows, which is good. I don't think those tests can run on Windows at the moment, especially because of the SecurityContext here: https://github.com/kubernetes/kubernetes/pull/83727/files#diff-2ff410ea588732f4fe497de3d8dbb7deR482 But It's good that extra work is not being added for the time when we'll have those running on Windows as well.

[msau42]

/lgtm
/approve

[msau42]

I would prefer we look into this approach of prepping a special test directory first if the environment uses SELinux. That way we can remove the privileged setting on many tests (and maybe be able to add them to the conformance suite). But this is sufficient for now.

[k8s-ci-robot]

@bertinatto: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-e2e-gce-csi-serial	816b325dd84310acfbf0503be14aa102a58b4a9f	link	/test pull-kubernetes-e2e-gce-csi-serial

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.