New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SELinux labels for kubelet on Fedora CoreOS #95035
Conversation
Hi @harche. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @harche |
test/e2e_node/remote/node_e2e.go
Outdated
return prependMemcgNotificationFlag(args), nil | ||
case strings.Contains(output, "fedora"): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might as well get rhel and centos, too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I will add those too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added the check for,
- Fedora CoreOS and Fedora -
fedora
- CentOS -
centos
- RHEL -
rhel
- Red Hat Core OS -
rhcos
/ok-to-test |
Go playground for testing the regex in this PR, https://play.golang.org/p/WmAZTuFWsBD |
3db6f2c
to
e907883
Compare
/test pull-kubernetes-e2e-kind |
/test pull-kubernetes-node-crio-e2e |
/hold |
/test pull-kubernetes-node-crio-e2e |
4476124
to
b400b54
Compare
/test pull-kubernetes-node-crio-e2e |
b400b54
to
f6ab6ed
Compare
/test pull-kubernetes-node-crio-e2e |
/test pull-kubernetes-node-crio-cgrpv2-e2e |
/lgtm reapplying LGTM |
test/e2e_node/remote/node_e2e.go
Outdated
return prependMemcgNotificationFlag(args), nil | ||
case strings.Contains(output, "fedora"), strings.Contains(output, "rhcos"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess if the output
contains "rhcos", the line 112 catches it on strings.Contains(output, "cos")
instead of here.
It is better to change the order or check string strictly.
/cc @oomichi
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @oomichi
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a really good point, if this is order dependent that's a defect waiting to happen in the future.
f6ab6ed
to
d3a26b6
Compare
Signed-off-by: Harshal Patil <harpatil@redhat.com>
d3a26b6
to
a4cd6f1
Compare
@harche: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/test pull-kubernetes-node-e2e |
/test pull-kubernetes-bazel-build |
/hold cancel |
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit, but overall looks like an improvement.
args = prependMemcgNotificationFlag(args) | ||
return prependCOSMounterFlag(args, host, workspace) | ||
case strings.Contains(output, "ID=ubuntu"): | ||
case strings.Contains(output, "ubuntu"): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why remove the ID=
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, down below a stricter regex to find that and pull it out ahead of time.
return "", fmt.Errorf("issue detecting node's OS via node's /etc/os-release. Err: %v, Output:\n%s", err, output) | ||
} | ||
|
||
var re = regexp.MustCompile(`(?m)^ID="?(\w+)"?`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ID=
used here instead.
fmt.Sprintf("/usr/bin/chcon -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "ginkgo")), | ||
fmt.Sprintf("/usr/bin/chcon -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "mounter")), | ||
fmt.Sprintf("/usr/bin/chcon -R -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "cni", "bin/")), | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am unfamiliar with SELinux, and so checking my understanding.
These binaries need to be added because they're not part of the distribution itself, and they weren't created on the OS, but were extracted/pushed/pulled from somewhere else.
Is that correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We had to add those SELinux labels explicitly because otherwise SELinux will prevent the execution of those binaries. By default, when you copy those binaries in certain location on the filesystem will not have those required labels.
return prependMemcgNotificationFlag(args), nil | ||
} | ||
return args, nil | ||
} | ||
|
||
// setKubeletSELinuxLabels set the appropriate SELinux labels for the | ||
// kubelet on Fedora CoreOS distribution | ||
func setKubeletSELinuxLabels(host, workspace string) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Function name is more than only the Kubelet. Maybe drop Kubelet to setSELinuxLabels
?
@@ -134,7 +169,7 @@ func (n *NodeE2ERemote) RunTest(host, workspace, results, imageDesc, junitFilePr | |||
// Kill any running node processes | |||
cleanupNodeProcesses(host) | |||
|
|||
testArgs, err := updateOSSpecificKubeletFlags(testArgs, host, workspace) | |||
testArgs, err := osSpecificActions(testArgs, host, workspace) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably a better name now.
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dims, harche, sjenning The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Harshal Patil harpatil@redhat.com
What type of PR is this?
/kind failing-test
What this PR does / why we need it:
After extracting the kubelet binaries on the remote host, but just before starting the tests, this PR will try to set the right SELinux labels on the Fedora CoreOS node.
Which issue(s) this PR fixes:
Fixes #95034
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: