diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2021-05-17 16:27:20 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-17 16:27:20 -0400 |
commit | 3aa4746fb6d4c6e9934f1ace420ba0ecbc11b4f1 (patch) | |
tree | 932e323839d69c66682152f438a352ac0f05316f | |
parent | 9a9118b831e7d0cfe8e6a876a8856aa306cb880a (diff) | |
parent | 4cc19f9e0f118d5f93a5399d14f56a887926e073 (diff) | |
download | podman-3aa4746fb6d4c6e9934f1ace420ba0ecbc11b4f1.tar.gz podman-3aa4746fb6d4c6e9934f1ace420ba0ecbc11b4f1.tar.bz2 podman-3aa4746fb6d4c6e9934f1ace420ba0ecbc11b4f1.zip |
Merge pull request #10339 from rhatdan/selinux
Support automatic labeling of kube volumes
-rw-r--r-- | pkg/specgen/generate/kube/kube.go | 42 | ||||
-rw-r--r-- | test/system/700-play.bats | 26 |
2 files changed, 54 insertions, 14 deletions
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go index 4e41061a5..054388384 100644 --- a/pkg/specgen/generate/kube/kube.go +++ b/pkg/specgen/generate/kube/kube.go @@ -250,27 +250,26 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener if !exists { return nil, errors.Errorf("Volume mount %s specified for container but not configured in volumes", volume.Name) } + + dest, options, err := parseMountPath(volume.MountPath, volume.ReadOnly) + if err != nil { + return nil, err + } + switch volumeSource.Type { case KubeVolumeTypeBindMount: - if err := parse.ValidateVolumeCtrDir(volume.MountPath); err != nil { - return nil, errors.Wrapf(err, "error in parsing MountPath") - } mount := spec.Mount{ - Destination: volume.MountPath, + Destination: dest, Source: volumeSource.Source, Type: "bind", - } - if volume.ReadOnly { - mount.Options = []string{"ro"} + Options: options, } s.Mounts = append(s.Mounts, mount) case KubeVolumeTypeNamed: namedVolume := specgen.NamedVolume{ - Dest: volume.MountPath, - Name: volumeSource.Source, - } - if volume.ReadOnly { - namedVolume.Options = []string{"ro"} + Dest: dest, + Name: volumeSource.Source, + Options: options, } s.Volumes = append(s.Volumes, &namedVolume) default: @@ -300,6 +299,25 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener return s, nil } +func parseMountPath(mountPath string, readOnly bool) (string, []string, error) { + options := []string{} + splitVol := strings.Split(mountPath, ":") + if len(splitVol) > 2 { + return "", options, errors.Errorf("%q incorrect volume format, should be ctr-dir[:option]", mountPath) + } + dest := splitVol[0] + if len(splitVol) > 1 { + options = strings.Split(splitVol[1], ",") + } + if err := parse.ValidateVolumeCtrDir(dest); err != nil { + return "", options, errors.Wrapf(err, "error in parsing MountPath") + } + if readOnly { + options = append(options, "ro") + } + return dest, options, nil +} + func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container) { if containerYAML.SecurityContext == nil { return diff --git a/test/system/700-play.bats b/test/system/700-play.bats index 8fa96741c..bcd8cf939 100644 --- a/test/system/700-play.bats +++ b/test/system/700-play.bats @@ -51,18 +51,40 @@ spec: seLinuxOptions: level: "s0:c1,c2" readOnlyRootFilesystem: false + volumeMounts: + - mountPath: /testdir:z + name: home-podman-testdir workingDir: / + volumes: + - hostPath: + path: TESTDIR + type: Directory + name: home-podman-testdir status: {} " +RELABEL="system_u:object_r:container_file_t:s0" + @test "podman play with stdin" { - echo "$testYaml" > $PODMAN_TMPDIR/test.yaml + TESTDIR=$PODMAN_TMPDIR/testdir + mkdir -p $TESTDIR + echo "$testYaml" | sed "s|TESTDIR|${TESTDIR}|g" > $PODMAN_TMPDIR/test.yaml run_podman play kube - < $PODMAN_TMPDIR/test.yaml + if [ -e /usr/sbin/selinuxenabled -a /usr/sbin/selinuxenabled ]; then + run ls -Zd $TESTDIR + is "$output" ${RELABEL} "selinux relabel should have happened" + fi run_podman pod rm -f test_pod } @test "podman play" { - echo "$testYaml" > $PODMAN_TMPDIR/test.yaml + TESTDIR=$PODMAN_TMPDIR/testdir + mkdir -p $TESTDIR + echo "$testYaml" | sed "s|TESTDIR|${TESTDIR}|g" > $PODMAN_TMPDIR/test.yaml run_podman play kube $PODMAN_TMPDIR/test.yaml + if [ -e /usr/sbin/selinuxenabled -a /usr/sbin/selinuxenabled ]; then + run ls -Zd $TESTDIR + is "$output" ${RELABEL} "selinux relabel should have happened" + fi run_podman pod rm -f test_pod } |