Rename IsRWOP

To be able to update content of the function to other access modes when we implement SELinux mount for more of them.
openshift · Aug 4, 2022 · a01e720 · a01e720
1 parent 1490d51
commit a01e720
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 12 deletions.
diff --git a/pkg/kubelet/volumemanager/cache/actual_state_of_world.go b/pkg/kubelet/volumemanager/cache/actual_state_of_world.go
@@ -822,7 +822,7 @@ func (asw *actualStateOfWorld) PodExistsInVolume(podName volumetypes.UniquePodNa
 			// The volume is mounted, check its SELinux context mount option
 			if *volumeObj.seLinuxMountContext != seLinuxLabel {
 				fullErr := newSELinuxMountMismatchError(volumeName)
-				if util.IsRWOP(volumeObj.spec) {
+				if util.VolumeSupportsSELinuxMount(volumeObj.spec) {
 					return false, volumeObj.devicePath, fullErr
 				}
 			}

diff --git a/pkg/kubelet/volumemanager/cache/desired_state_of_world.go b/pkg/kubelet/volumemanager/cache/desired_state_of_world.go
@@ -307,7 +307,7 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
 				}
 			}
 		}
-		if !util.IsRWOP(volumeSpec) {
+		if !util.VolumeSupportsSELinuxMount(volumeSpec) {
 			// Clear SELinux label for the volume with unsupported access modes.
 			seLinuxFileLabel = ""
 		}
@@ -339,8 +339,8 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
 			if seLinuxFileLabel != vol.seLinuxFileLabel {
 				// TODO: update the error message after tests, e.g. add at least the conflicting pod names.
 				fullErr := fmt.Errorf("conflicting SELinux labels of volume %s: %q and %q", volumeSpec.Name(), vol.seLinuxFileLabel, seLinuxFileLabel)
-				isRWOP := util.IsRWOP(volumeSpec)
-				if err := handlerSELinuxMetricError(fullErr, isRWOP, seLinuxVolumeContextMismatchWarnings, seLinuxVolumeContextMismatchErrors); err != nil {
+				supported := util.VolumeSupportsSELinuxMount(volumeSpec)
+				if err := handleSELinuxMetricError(fullErr, supported, seLinuxVolumeContextMismatchWarnings, seLinuxVolumeContextMismatchErrors); err != nil {
 					return "", err
 				}
 			} else {
@@ -385,15 +385,15 @@ func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinux
 		if err != nil {
 			return "", false, err
 		}
-		isRWOP := util.IsRWOP(volumeSpec)
+		seLinuxSupported := util.VolumeSupportsSELinuxMount(volumeSpec)
 		if pluginSupportsSELinuxContextMount {
 			// Ensure that a volume that can be mounted with "-o context=XYZ" is
 			// used only by containers with the same SELinux contexts.
 			for _, containerContext := range seLinuxContainerContexts {
 				newLabel, err := dsw.seLinuxTranslator.SELinuxOptionsToFileLabel(containerContext)
 				if err != nil {
 					fullErr := fmt.Errorf("failed to construct SELinux label from context %q: %s", containerContext, err)
-					if err := handlerSELinuxMetricError(fullErr, isRWOP, seLinuxContainerContextWarnings, seLinuxContainerContextErrors); err != nil {
+					if err := handleSELinuxMetricError(fullErr, seLinuxSupported, seLinuxContainerContextWarnings, seLinuxContainerContextErrors); err != nil {
 						return "", false, err
 					}
 				}
@@ -403,7 +403,7 @@ func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinux
 				}
 				if seLinuxFileLabel != newLabel {
 					fullErr := fmt.Errorf("volume %s is used with two different SELinux contexts in the same pod: %q, %q", volumeSpec.Name(), seLinuxFileLabel, newLabel)
-					if err := handlerSELinuxMetricError(fullErr, isRWOP, seLinuxPodContextMismatchWarnings, seLinuxPodContextMismatchErrors); err != nil {
+					if err := handleSELinuxMetricError(fullErr, seLinuxSupported, seLinuxPodContextMismatchWarnings, seLinuxPodContextMismatchErrors); err != nil {
 						return "", false, err
 					}
 				}
@@ -622,14 +622,13 @@ func (dsw *desiredStateOfWorld) getSELinuxMountSupport(volumeSpec *volume.Spec)
 }
 
 // Based on isRWOP, bump the right warning / error metric and either consume the error or return it.
-func handlerSELinuxMetricError(err error, isRWOP bool, warningMetric, errorMetric *metrics.Gauge) error {
-	if isRWOP {
-		// Cannot mount with -o context if the context can't be composed.
+func handleSELinuxMetricError(err error, seLinuxSupported bool, warningMetric, errorMetric *metrics.Gauge) error {
+	if seLinuxSupported {
 		errorMetric.Add(1.0)
 		return err
 	}
 
-	// This is not an error yet, but it will be when support for RWO and RWX volumes is added
+	// This is not an error yet, but it will be when support for other access modes is added.
 	warningMetric.Add(1.0)
 	klog.V(4).ErrorS(err, "Please report this error in https://github.com/kubernetes/enhancements/issues/1710, together with full Pod yaml file")
 	return nil

diff --git a/pkg/volume/util/selinux.go b/pkg/volume/util/selinux.go
@@ -166,10 +166,15 @@ func SupportsSELinuxContextMount(volumeSpec *volume.Spec, volumePluginMgr *volum
 	return false, nil
 }
 
-func IsRWOP(volumeSpec *volume.Spec) bool {
+// VolumeSupportsSELinuxMount returns true if given volume access mode can support mount with SELinux mount options.
+func VolumeSupportsSELinuxMount(volumeSpec *volume.Spec) bool {
+	// Right now, SELinux mount is supported only for ReadWriteOncePod volumes.
 	if !utilfeature.DefaultFeatureGate.Enabled(features.ReadWriteOncePod) {
 		return false
 	}
+	if !utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
+		return false
+	}
 	if volumeSpec.PersistentVolume == nil {
 		return false
 	}