Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add correct selinux label at plugin socket directory #73241

Merged
merged 1 commit into from May 20, 2019

Conversation

@vikaschoudhary16
Copy link
Member

commented Jan 24, 2019

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:
This PR adds appropriate selinux label at plugin socket directory

Which issue(s) this PR fixes:

Fixes #73240

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Set selinux label at plugin socket directory

/area hw-accelerators
@kubernetes/sig-node-bugs @kubernetes/sig-node-pr-reviews @jeremyeder

@vikaschoudhary16

This comment has been minimized.

Copy link
Member Author

commented Jan 24, 2019

/priority important-soon

@vikaschoudhary16 vikaschoudhary16 force-pushed the vikaschoudhary16:selinux-label branch from 3c93a95 to a5b0d38 Jan 24, 2019

@vikaschoudhary16 vikaschoudhary16 force-pushed the vikaschoudhary16:selinux-label branch from a5b0d38 to 339b4eb Jan 24, 2019

@vikaschoudhary16

This comment has been minimized.

Copy link
Member Author

commented Jan 24, 2019

/assign @tallclair

@tallclair
Copy link
Member

left a comment

Looks good, but I'm wondering about how this is communicated to the user.

@@ -26,4 +26,5 @@ const (
DefaultKubeletContainersDirName = "containers"
DefaultKubeletPluginContainersDirName = "plugin-containers"
DefaultKubeletPodResourcesDirName = "pod-resources"
DefaultKubeletPluginsDirSELinuxLabel = "system_u:object_r:container_file_t:s0"

This comment has been minimized.

Copy link
@tallclair

tallclair Jan 24, 2019

Member

nit: This is called a default, but is it configurable in any way? Should it just be KubeletPluignsDirSELinuxLabel?

@@ -26,4 +26,5 @@ const (
DefaultKubeletContainersDirName = "containers"
DefaultKubeletPluginContainersDirName = "plugin-containers"
DefaultKubeletPodResourcesDirName = "pod-resources"
DefaultKubeletPluginsDirSELinuxLabel = "system_u:object_r:container_file_t:s0"

This comment has been minimized.

Copy link
@tallclair

tallclair Jan 24, 2019

Member

Is this label documented anywhere? Should it be?

This comment has been minimized.

Copy link
@vikaschoudhary16

vikaschoudhary16 Jan 25, 2019

Author Member

@tallclair no, i think nowhere in k8s documentation.
Should it be? ---- Documentation never hurts for sure :).
I am just not sure where would it be appropriate to mention about this.
Since the dir that are being labeled are created by device manager and plugin watcher, therefore may be in the device manager design proposal and plugin watcher design proposal.
Sounds reasonable?

This comment has been minimized.

Copy link
@tallclair

tallclair Jan 25, 2019

Member

Sounds good to me.

This comment has been minimized.

Copy link
@vikaschoudhary16

vikaschoudhary16 Jan 26, 2019

Author Member

Will update proposals post merge of this PR

@tallclair

This comment has been minimized.

Copy link
Member

commented Jan 25, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added lgtm and removed lgtm labels Jan 25, 2019

@vikaschoudhary16 vikaschoudhary16 force-pushed the vikaschoudhary16:selinux-label branch 2 times, most recently from a8889c1 to 1481deb Jan 30, 2019

@vikaschoudhary16

This comment has been minimized.

Copy link
Member Author

commented Feb 4, 2019

/retest

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Feb 4, 2019

@vikaschoudhary16: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-kubernetes-local-e2e-containerized 1481deb link /test pull-kubernetes-local-e2e-containerized

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@booxter
Copy link
Contributor

left a comment

This probably resolves the issue for privileged containers, but some, like SR-IOV Intel device plugin, are not privileged, and it would be sad to upgrade its privileges just for this SELinux label. Do you have an idea how to tackle that in case of unprivileged containers?

@@ -50,3 +50,8 @@ func (_ *realSELinuxRunner) Getfilecon(path string) (string, error) {
}
return selinux.FileLabel(path)
}

// FileLabel returns the SELinux label for this path or returns an error.

This comment has been minimized.

Copy link
@booxter

booxter Feb 19, 2019

Contributor

does this comment belong here? We call SetFileLabel here not FileLabel; and the former doesn't return label or error, just error.

@booxter

This comment has been minimized.

Copy link
Contributor

commented Mar 25, 2019

This probably resolves the issue for privileged containers, but some, like SR-IOV Intel device plugin, are not privileged, and it would be sad to upgrade its privileges just for this SELinux label. Do you have an idea how to tackle that in case of unprivileged containers?

Disregard this comment, I misinterpreted warnings emitted by this patch as a sign that SELinux labels are applied by plugin itself and not kubelet.

@@ -0,0 +1,10 @@
reviewers:
- pmorie

This comment has been minimized.

Copy link
@smarterclayton

smarterclayton May 18, 2019

Contributor

Generally we wouldn't add owners in the same PR. Would be better to split this out.

This comment has been minimized.

Copy link
@vikaschoudhary16

vikaschoudhary16 May 18, 2019

Author Member

Actually @tallclair suggested for this. I am fine moving this out as well.

@@ -206,6 +207,12 @@ func (m *ManagerImpl) Start(activePods ActivePodsFunc, sourcesReady config.Sourc

socketPath := filepath.Join(m.socketdir, m.socketname)
os.MkdirAll(m.socketdir, 0755)
if selinux.SELinuxEnabled() {
err = selinux.SetFileLabel(m.socketdir, config.KubeletPluginsDirSELinuxLabel)

This comment has been minimized.

Copy link
@smarterclayton

smarterclayton May 18, 2019

Contributor

This should really be if err := x; err != nil. Using this style means that a later change in the code could access err, which is not what we want.

@smarterclayton

This comment has been minimized.

Copy link
Contributor

commented May 18, 2019

I don't see a second review after the last set of changes? @kubernetes/sig-node-pr-reviews please take a look

@vikaschoudhary16 vikaschoudhary16 force-pushed the vikaschoudhary16:selinux-label branch from 1481deb to 58d1b4d May 18, 2019

@vikaschoudhary16

This comment has been minimized.

Copy link
Member Author

commented May 18, 2019

@smarterclayton

This comment has been minimized.

Copy link
Contributor

commented May 18, 2019

/approve

But needs review (it looks ok to me but I don’t want to be the sign off)

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented May 18, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: smarterclayton, vikaschoudhary16

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tallclair

This comment has been minimized.

Copy link
Member

commented May 20, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label May 20, 2019

@k8s-ci-robot k8s-ci-robot merged commit e476a60 into kubernetes:master May 20, 2019

20 checks passed

cla/linuxfoundation vikaschoudhary16 authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-csi-serial Skipped.
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gce-storage-slow Skipped.
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.