Add SupportsSELinuxContextMount

Add a new call to VolumePlugin interface and change all its
implementations.

Kubelet's VolumeManager will be interested whether a volume supports
mounting with -o conext=XYZ or not to hanle SetUp() / MountDevice()
accordingly.

pkg/controller/volume/attachdetach/testing/testvolumespec.go

@@ -483,6 +483,10 @@ func (plugin *TestPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *TestPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *TestPlugin) GetErrorEncountered() bool {
 	plugin.pluginLock.RLock()
 	defer plugin.pluginLock.RUnlock()

pkg/controller/volume/persistentvolume/framework_test.go

@@ -970,6 +970,10 @@ func (plugin *mockVolumePlugin) ConstructVolumeSpec(volumeName, mountPath string
 	return nil, nil
 }
 
+func (plugin *mockVolumePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *mockVolumePlugin) NewMounter(spec *volume.Spec, podRef *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) {
 	return nil, fmt.Errorf("Mounter is not supported by this plugin")
 }

pkg/volume/awsebs/aws_ebs.go

@@ -100,6 +100,10 @@ func (plugin *awsElasticBlockStorePlugin) SupportsBulkVolumeVerification() bool
 	return true
 }
 
+func (plugin *awsElasticBlockStorePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *awsElasticBlockStorePlugin) GetVolumeLimits() (map[string]int64, error) {
 	volumeLimits := map[string]int64{
 		util.EBSVolumeLimitKey: util.DefaultMaxEBSVolumes,

pkg/volume/azure_file/azure_file.go

@@ -100,6 +100,10 @@ func (plugin *azureFilePlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *azureFilePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *azureFilePlugin) GetAccessModes() []v1.PersistentVolumeAccessMode {
 	return []v1.PersistentVolumeAccessMode{
 		v1.ReadWriteOnce,

pkg/volume/azuredd/azure_dd.go

@@ -134,6 +134,10 @@ func (plugin *azureDataDiskPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *azureDataDiskPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *azureDataDiskPlugin) GetVolumeLimits() (map[string]int64, error) {
 	volumeLimits := map[string]int64{
 		util.AzureVolumeLimitKey: defaultAzureVolumeLimit,

pkg/volume/cephfs/cephfs.go

@@ -85,6 +85,10 @@ func (plugin *cephfsPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *cephfsPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *cephfsPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode {
 	return []v1.PersistentVolumeAccessMode{
 		v1.ReadWriteOnce,

pkg/volume/cinder/cinder.go

@@ -123,6 +123,10 @@ func (plugin *cinderPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *cinderPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 var _ volume.VolumePluginWithAttachLimits = &cinderPlugin{}
 
 func (plugin *cinderPlugin) GetVolumeLimits() (map[string]int64, error) {

pkg/volume/configmap/configmap.go

@@ -90,6 +90,10 @@ func (plugin *configMapPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *configMapPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *configMapPlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) {
 	return &configMapVolumeMounter{
 		configMapVolume: &configMapVolume{

pkg/volume/csi/csi_plugin.go

@@ -581,6 +581,10 @@ func (p *csiPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (p *csiPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 // volume.AttachableVolumePlugin methods
 var _ volume.AttachableVolumePlugin = &csiPlugin{}
 

pkg/volume/downwardapi/downwardapi.go

@@ -92,6 +92,10 @@ func (plugin *downwardAPIPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *downwardAPIPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *downwardAPIPlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) {
 	v := &downwardAPIVolume{
 		volName:         spec.Name(),

pkg/volume/emptydir/empty_dir.go

@@ -103,6 +103,10 @@ func (plugin *emptyDirPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *emptyDirPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *emptyDirPlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) {
 	return plugin.newMounterInternal(spec, pod, plugin.host.GetMounter(plugin.GetPluginName()), &realMountDetector{plugin.host.GetMounter(plugin.GetPluginName())}, opts)
 }

pkg/volume/fc/fc.go

@@ -99,6 +99,10 @@ func (plugin *fcPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *fcPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *fcPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode {
 	return []v1.PersistentVolumeAccessMode{
 		v1.ReadWriteOnce,

pkg/volume/flexvolume/plugin.go

@@ -287,6 +287,10 @@ func (plugin *flexVolumePlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *flexVolumePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 // Returns true iff the given command is known to be unsupported.
 func (plugin *flexVolumePlugin) isUnsupported(command string) bool {
 	plugin.Lock()

pkg/volume/gcepd/gce_pd.go

@@ -111,6 +111,10 @@ func (plugin *gcePersistentDiskPlugin) SupportsBulkVolumeVerification() bool {
 	return true
 }
 
+func (plugin *gcePersistentDiskPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *gcePersistentDiskPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode {
 	return []v1.PersistentVolumeAccessMode{
 		v1.ReadWriteOnce,

pkg/volume/git_repo/git_repo.go

@@ -89,6 +89,10 @@ func (plugin *gitRepoPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *gitRepoPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *gitRepoPlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) {
 	if err := validateVolume(spec.Volume.GitRepo); err != nil {
 		return nil, err

pkg/volume/glusterfs/glusterfs.go

@@ -132,6 +132,10 @@ func (plugin *glusterfsPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *glusterfsPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *glusterfsPlugin) RequiresFSResize() bool {
 	return false
 }

pkg/volume/hostpath/host_path.go

@@ -108,6 +108,10 @@ func (plugin *hostPathPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *hostPathPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *hostPathPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode {
 	return []v1.PersistentVolumeAccessMode{
 		v1.ReadWriteOnce,

pkg/volume/iscsi/iscsi.go

@@ -92,6 +92,10 @@ func (plugin *iscsiPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *iscsiPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *iscsiPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode {
 	return []v1.PersistentVolumeAccessMode{
 		v1.ReadWriteOnce,

pkg/volume/local/local.go

@@ -96,6 +96,10 @@ func (plugin *localVolumePlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *localVolumePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *localVolumePlugin) GetAccessModes() []v1.PersistentVolumeAccessMode {
 	// The current meaning of AccessMode is how many nodes can attach to it, not how many pods can mount it
 	return []v1.PersistentVolumeAccessMode{

pkg/volume/nfs/nfs.go

@@ -105,6 +105,10 @@ func (plugin *nfsPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *nfsPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *nfsPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode {
 	return []v1.PersistentVolumeAccessMode{
 		v1.ReadWriteOnce,

pkg/volume/noop_expandable_plugin.go

@@ -75,3 +75,7 @@ func (n *noopExpandableVolumePluginInstance) SupportsBulkVolumeVerification() bo
 func (n *noopExpandableVolumePluginInstance) RequiresFSResize() bool {
 	return true
 }
+
+func (n *noopExpandableVolumePluginInstance) SupportsSELinuxContextMount(spec *Spec) (bool, error) {
+	return false, nil
+}

pkg/volume/plugins.go

@@ -187,6 +187,10 @@ type VolumePlugin interface {
 	// of enabling bulk polling of all nodes. This can speed up verification of
 	// attached volumes by quite a bit, but underlying pluging must support it.
 	SupportsBulkVolumeVerification() bool
+
+	// SupportsSELinuxContextMount returns true if volume plugins supports
+	// mount -o context=XYZ for a given volume.
+	SupportsSELinuxContextMount(spec *Spec) (bool, error)
 }
 
 // PersistentVolumePlugin is an extended interface of VolumePlugin and is used

pkg/volume/plugins_test.go

@@ -87,6 +87,10 @@ func (plugin *testPlugins) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *testPlugins) SupportsSELinuxContextMount(spec *Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *testPlugins) NewMounter(spec *Spec, podRef *v1.Pod, opts VolumeOptions) (Mounter, error) {
 	return nil, nil
 }

pkg/volume/portworx/portworx.go

@@ -230,6 +230,10 @@ func (plugin *portworxVolumePlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *portworxVolumePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func getVolumeSource(
 	spec *volume.Spec) (*v1.PortworxVolumeSource, bool, error) {
 	if spec.Volume != nil && spec.Volume.PortworxVolume != nil {

pkg/volume/projected/projected.go

@@ -105,6 +105,10 @@ func (plugin *projectedPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *projectedPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *projectedPlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) {
 	return &projectedVolumeMounter{
 		projectedVolume: &projectedVolume{

pkg/volume/rbd/rbd.go

@@ -125,6 +125,10 @@ func (plugin *rbdPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *rbdPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *rbdPlugin) GetAccessModes() []v1.PersistentVolumeAccessMode {
 	return []v1.PersistentVolumeAccessMode{
 		v1.ReadWriteOnce,

pkg/volume/secret/secret.go

@@ -93,6 +93,10 @@ func (plugin *secretPlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *secretPlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *secretPlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) {
 	return &secretVolumeMounter{
 		secretVolume: &secretVolume{

pkg/volume/testing/testing.go

@@ -284,6 +284,10 @@ func (plugin *FakeVolumePlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *FakeVolumePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *FakeVolumePlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) {
 	plugin.Lock()
 	defer plugin.Unlock()
@@ -545,6 +549,10 @@ func (f *FakeBasicVolumePlugin) SupportsBulkVolumeVerification() bool {
 	return f.Plugin.SupportsBulkVolumeVerification()
 }
 
+func (f *FakeBasicVolumePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return f.Plugin.SupportsSELinuxContextMount(spec)
+}
+
 func (f *FakeBasicVolumePlugin) SupportsMountOption() bool {
 	return f.Plugin.SupportsMountOption()
 }
@@ -626,6 +634,10 @@ func (plugin *FakeFileVolumePlugin) SupportsBulkVolumeVerification() bool {
 	return false
 }
 
+func (plugin *FakeFileVolumePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *FakeFileVolumePlugin) NewMounter(spec *volume.Spec, podRef *v1.Pod, opts volume.VolumeOptions) (volume.Mounter, error) {
 	return nil, nil
 }

pkg/volume/vsphere_volume/vsphere_volume.go

@@ -104,6 +104,10 @@ func (plugin *vsphereVolumePlugin) SupportsBulkVolumeVerification() bool {
 	return true
 }
 
+func (plugin *vsphereVolumePlugin) SupportsSELinuxContextMount(spec *volume.Spec) (bool, error) {
+	return false, nil
+}
+
 func (plugin *vsphereVolumePlugin) NewMounter(spec *volume.Spec, pod *v1.Pod, _ volume.VolumeOptions) (volume.Mounter, error) {
 	return plugin.newMounterInternal(spec, pod.UID, &VsphereDiskUtil{}, plugin.host.GetMounter(plugin.GetPluginName()))
 }