New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Optionally run e2e pod as privileged for SELinux #83727
Optionally run e2e pod as privileged for SELinux #83727
Conversation
/approve |
@@ -564,7 +565,7 @@ func testVolumeContent(client clientset.Interface, pod *v1.Pod, fsGroup *int64, | |||
// Multiple Tests can be specified to mount multiple volumes to a single | |||
// pod. | |||
func TestVolumeClient(client clientset.Interface, config TestConfig, fsGroup *int64, fsType string, tests []Test) { | |||
clientPod, err := runVolumeTesterPod(client, config, "client", fsGroup, tests) | |||
clientPod, err := runVolumeTesterPod(client, config, "client", fsGroup, false, tests) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How come this one is false and the other is true?
Can we also make privileged a configurable parameter? I would like to be able to have most e2es not use privileged pods if the system doesn't support SELinux: #80186
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can do that, but because of #83727 (comment), we may have to go privileged if the system supports SELinux and the volume is not block.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we also make privileged a configurable parameter?
So I figured this is a bit tricky to solve. These are the possible solutions that I thought about and their problems:
- Make pods privileged:
- We don't want this, specially where they are not required (on non-SELinux systems)
- Make pods unprivileged and add label
svirt_sandbox_file_t
to node dirs where pods manipulate data (currently it's/tmp
for hostPath)- Need to manually
chcon -R -t svirt_sandbox_file_t /dir_where_container_writes_files
in the host where test runs
- Need to manually
- Detect if node, where test is running, has SELinux enabled and make the pod privileged
- I attempted this one, but it's tricky because we don't always know the node where the pod is going to be scheduled (so we could send `getenforcea command there and
- Have an env variable that toggles privileged
- Not sure if this is a good idea, it needs to be toggled manually
- It's not node-specific
- Not sure if this is a good idea, it needs to be toggled manually
Are there other alternatives?
Two jobs are failing because of a docker issue that prevents a privileged pod from mapping devices:
|
7137c6b
to
c41dc58
Compare
c41dc58
to
2a012f0
Compare
2a012f0
to
6229a2b
Compare
// a privileged container, so we don't go privileged for block volumes. | ||
// https://github.com/moby/moby/issues/35991 | ||
privileged := false | ||
if selinux.SELinuxEnabled() && test.Mode != v1.PersistentVolumeBlock { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be replaced by something else because it doesn't detect if SELinux is enabled on the host
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bertinatto could you please create an issue for this action item ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I'll create an issue as soon as I figure this out
52e0642
to
2e7508d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/priority important-soon
/milestone v1.17
2e7508d
to
816b325
Compare
/retest |
/assign @jingxu97 |
816b325
to
45bffab
Compare
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bertinatto, neolit123 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
// We need to make the container privileged when SELinux is enabled on the | ||
// host, so the test can write data to a location like /tmp. Also, due to | ||
// the Docker bug below, it's not currently possible to map a device with | ||
// a privileged container, so we don't go privileged for block volumes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does mean for block volume, we cannot set SELinux enabled?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, for block volume, we cannot make the container privileged. Specially if the container runtime is docker (due to the bug below).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To clarify, it shouldn't be a problem to run the test with a unprivileged container for block volumes.
The reason we make it privileged for FS volumes is that the test writes data to the host's /tmp directory, which is not the case for block volumes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there another directory we can safely write to that does not require privileged?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there another directory we can safely write to that does not require privileged?
Not that I'm aware of.
By default, containers can only RW to files/directories labeled svirt_sandbox_file_t
. So if a process breaks out of the container, it won't be able to change the host FS.
We could add the label above to a pre-defined directory, say /tmp/k8s-e2e, and change the test to read/write data there, rather than the default /tmp. See my comment #83727 (comment). I've tried this and it worked.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The downside of the approach above is that we need to change the test bootstrap to do chcon -R -t svirt_sandbox_file_t /tmp/k8s-e2e
in the host before running the test.
I don't know if we are able to do that, however, this is IMO the right approach to solve our SELinux issues in e2e tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer we look into this approach of prepping a special test directory first if the environment uses SELinux. That way we can remove the privileged setting on many tests (and maybe be able to add them to the conformance suite). But this is sufficient for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to clarify: we can remove the privileged setting if we prep a special test directory on SELinux environments. All containers would run as unprivileged.
FYI, I created the issue #84585 to track this.
@@ -577,7 +588,7 @@ func TestVolumeClient(client clientset.Interface, config TestConfig, fsGroup *in | |||
// starting and auxiliary pod which writes the file there. | |||
// The volume must be writable. | |||
func InjectContent(client clientset.Interface, config TestConfig, fsGroup *int64, fsType string, tests []Test) { | |||
injectorPod, err := runVolumeTesterPod(client, config, "injector", fsGroup, tests) | |||
injectorPod, err := runVolumeTesterPod(client, config, "injector", true, fsGroup, tests) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we cannot set this to true for all cases. For example, for windows, we cannot run privileged container.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a check for Windows
45bffab
to
7e72c70
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jingxu97, PTAL
// We need to make the container privileged when SELinux is enabled on the | ||
// host, so the test can write data to a location like /tmp. Also, due to | ||
// the Docker bug below, it's not currently possible to map a device with | ||
// a privileged container, so we don't go privileged for block volumes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, for block volume, we cannot make the container privileged. Specially if the container runtime is docker (due to the bug below).
@@ -577,7 +588,7 @@ func TestVolumeClient(client clientset.Interface, config TestConfig, fsGroup *in | |||
// starting and auxiliary pod which writes the file there. | |||
// The volume must be writable. | |||
func InjectContent(client clientset.Interface, config TestConfig, fsGroup *int64, fsType string, tests []Test) { | |||
injectorPod, err := runVolumeTesterPod(client, config, "injector", fsGroup, tests) | |||
injectorPod, err := runVolumeTesterPod(client, config, "injector", true, fsGroup, tests) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a check for Windows
Bug Triage Release Team checking in. Code freeze for the 1.17 release is on November 14. Is this still intended for 1.17? Thanks! |
/assign @BCLAU @timothysc @BCLAU - could you verify that this will work for windows use cases? |
As far as this PR goes, lgtm. The only case where privileged could be true, it has been treated and set to false for windows, which is good. I don't think those tests can run on Windows at the moment, especially because of the SecurityContext here: https://github.com/kubernetes/kubernetes/pull/83727/files#diff-2ff410ea588732f4fe497de3d8dbb7deR482 But It's good that extra work is not being added for the time when we'll have those running on Windows as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
// We need to make the container privileged when SELinux is enabled on the | ||
// host, so the test can write data to a location like /tmp. Also, due to | ||
// the Docker bug below, it's not currently possible to map a device with | ||
// a privileged container, so we don't go privileged for block volumes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer we look into this approach of prepping a special test directory first if the environment uses SELinux. That way we can remove the privileged setting on many tests (and maybe be able to add them to the conformance suite). But this is sufficient for now.
@bertinatto: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest Review the full test history for this PR. Silence the bot with an |
This PR adds back the SecurityContext field missed during the consolidation of redundant code in #79730.
Also, it only runs the pod as privileged if the system has SELinux enabled and the volume isn't block (due to moby/moby#35991).
What type of PR is this?
/kind flake
What this PR does / why we need it:
This is necessary for running some e2e tests on SELinux systems.
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/sig storage
CC @jsafrane @msau42