Enable selinux tags in make targets #87658
Conversation
k8s-ci-robot
added
release-note-none
|
/sig release |
k8s-ci-robot
added
sig/release
|
/priority important-soon |
k8s-ci-robot
added
priority/important-soon
k8s-ci-robot
added
the
approved
|
/hold for reviews |
k8s-ci-robot
added
the
do-not-merge/hold
|
Seems fine to me. /lgtm |
k8s-ci-robot
added
the
lgtm
|
/test pull-kubernetes-e2e-kind |
|
How do I add another tag for providerless then? |
I wondered the same thing |
|
@BenTheElder we could do |
|
/retest |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/test pull-kubernetes-e2e-gce-100-performance |
1 similar comment
|
/test pull-kubernetes-e2e-gce-100-performance |
|
/assign @BenTheElder |
hack/lib/golang.sh
Outdated
| @@ -785,6 +788,18 @@ kube::golang::build_binaries() { | |||
| goasmflags="-trimpath=${KUBE_ROOT}" | |||
| gogcflags="${GOGCFLAGS:-} -trimpath=${KUBE_ROOT}" | |||
|
|
|||
| # extract tags if any specified in GOFLAGS | |||
| # shellcheck disable=SC2001 | |||
| gotags=$(echo "${GOFLAGS:-}" | sed -e 's|.*-tags=\([^-]*\).*|\1|') | |||
There was a problem hiding this comment.
I think this doesn't work correctly for multiple tags.
If I want to set multiple tags via GOFLAGS to go I have to use:
export GOFLAGS='-tags=selinux -tags=providerless'
this command will give me:
echo "${GOFLAGS:-}" | sed -e 's|.*-tags=\([^-]*\).*|\1|'
providerlessEDIT: potential fix
| gotags=$(echo "${GOFLAGS:-}" | sed -e 's|.*-tags=\([^-]*\).*|\1|') | |
| gotags=$(echo "${GOFLAGS:-}" | grep -oe '-tags=\([^- ]*\)' | tr '\n' ' ' | sed -e 's|-tags=\([^-]*\)|\1|g') |
There was a problem hiding this comment.
something like the above edit, I'm sure it can be done more cleanly ... 🤔
There was a problem hiding this comment.
Thankfully GOFLAGS specifically expects a space separated set of -flag=value so there may not be too many other edge cases ...
GOFLAGS
A space-separated list of -flag=value settings to apply
to go commands by default, when the given flag is known by
the current command. Each entry must be a standalone flag.
Because the entries are space-separated, flag values must
not contain spaces. Flags listed on the command line
are applied after this list and therefore override it.
https://golang.org/cmd/go/#hdr-Environment_variables
I am not sure if we even need the quote stripping.
There was a problem hiding this comment.
@BenTheElder from what i understood -tags=selinux -tags=providerless the last one is picked up. So if you do this today selinux would not kick in.
So the test cases i had were as follows (quoting from memory):
-tags=providerless-tags='providerless'-tags="providerless"-abc -tags=providerless-abc -tags="providerless"-abc -tags='providerless'-abc -tags=providerless -xyz-abc -tags="providerless" -xyz-abc -tags='providerless' -xyz-abc -tags="providerless selinux" -xyz-abc -tags='providerless selinux' -xyz
There was a problem hiding this comment.
So GOFLAGS cannot contain quoted values and the value in -flag=value cannot contain a space.
This means this flag couldn't have more than one value:
golang/go#26849
Except in go1.13 it may be comma seperated for cmd/go
golang/go@80e7832
Need to do some tests when I get to a machine.
There was a problem hiding this comment.
Ack. please let me know. Let's wrap this up with spaces first please as the first iteration. i can follow up with support for comma.
There was a problem hiding this comment.
[bentheelder@bentheelder:~/junk·2020-01-31T12:31:41-0800]
$ GOFLAGS='-tags=providerless,selinux' go build .
[bentheelder@bentheelder:~/junk·2020-01-31T12:31:48-0800]
$ cat ./a.go
// +build providerless,selinux
package main
func main() {
println("test")
}
There was a problem hiding this comment.
versus:
[bentheelder@bentheelder:~/junk·2020-01-31T12:32:03-0800]
$ GOFLAGS='-tags="providerless selinux"' go build .
go: parsing $GOFLAGS: non-flag "selinux\""
There was a problem hiding this comment.
we can replace all of this processing with just:
gotags="selinux,$(echo "${GOFLAGS:-}" | sed -e 's|.*-tags=\([^-]*\).*|\1|')"
hack/lib/golang.sh
Outdated
| # strip single quotes | ||
| gotags=${gotags//\'} | ||
| # trim leading and trailing whitespaces | ||
| gotags=$(echo "$gotags" | awk '{ gsub(/^[ \t]+|[ \t]+$/, ""); print }') |
There was a problem hiding this comment.
leading and trailing whitespace is illegal, as are the quotes, we can drop this and just , join with selinux
requires go 1.13+ but we're on that
hack/lib/golang.sh
Outdated
| # trim leading and trailing whitespaces | ||
| gotags=$(echo "$gotags" | awk '{ gsub(/^[ \t]+|[ \t]+$/, ""); print }') | ||
| # ensure selinux is specified in the list of tags | ||
| gotags="selinux $gotags" |
There was a problem hiding this comment.
comma instead of a space
| gotags="selinux $gotags" | |
| gotags="selinux,${gotags}" |
In 24d1059, a fix was made in bazel based builds to ensure that we add `selinux` tag when we build all binaries especially the `kubelet`. We need to do the same for in our hack scripts so things like `make release` will work properly as well. Some scripts use `GOFLAGS=-tags=providerless` for example, So we should support the tags to be specified in GOFLAGS as well. We parse out the tags from there and ensure selinux is added to the list of tags we used for building the binaries. Note that we add our own `-tags` with the full set of tags and since we specify our parameter at the end, ours full list takes precendence
dims
force-pushed
the
enable-selinux-tags-in-make-targets
branch
from
4072793
to
dfd8e4e
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: BenTheElder, cblecker, dims The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
flake: [sig-cli] Kubectl client Simple pod should support inline execution and attach expand_more cross is super flaky now as well so :/ |
|
GCE timed out...? |
|
/retest |
|
/retest Review the full test history for this PR. Silence the bot with an |
|
is it expected that https://testgrid.k8s.io/google-gce#gci-gce-flaky&sort-by-flakiness=&width=20&include-filter-by-regex=SELinux are still failing? do we have e2e tests that verify this is effective? |
|
@liggitt I think those tests are faulty. They are failing on - https://github.com/kubernetes/kubernetes/blob/master/test/e2e/node/security_context.go#L272 which checks for ability to not read file correctly if MCS label's don't match. It is throwing following error: Which is exactly as it should happen. The code that does check for ability of pod to read/write the file appears to be passing succuessfully. |
|
If we go to a version before @dims fix the test fails in different place: Which means it does not work with plain emptydir |
…7658-upstream-release-1.17 Automated cherry pick of #87658: Enable selinux tags in make targets
…7658-upstream-release-1.16 Automated cherry pick of #87658: Enable selinux tags in make targets
In 24d1059, a fix was made in bazel
based builds to ensure that we add
selinuxtag when we build allbinaries especially the
kubelet. We need to do the same for in ourhack scripts so things like
make releasewill work properly as well.What type of PR is this?
/kind bug
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes kubernetes/release#1037
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: