diff options
| author | Brent Baude <bbaude@redhat.com> | 2021-09-29 14:57:33 -0500 |
|---|---|---|
| committer | Brent Baude <bbaude@redhat.com> | 2021-09-30 10:49:14 -0500 |
| commit | 1ff6a5082a440fe4a4c3f3670534ab6185d26752 (patch) | |
| tree | 8018f0ee002631fc383ac8fbd12ebebcec6ed1ab /pkg | |
| parent | 966b6030fa5cc31c163e344b64109eddeffc3529 (diff) | |
| download | podman-1ff6a5082a440fe4a4c3f3670534ab6185d26752.tar.gz podman-1ff6a5082a440fe4a4c3f3670534ab6185d26752.tar.bz2 podman-1ff6a5082a440fe4a4c3f3670534ab6185d26752.zip | |
Support selinux options with bind mounts play/gen
When using play kube and generate kube, we need to support if bind
mounts have selinux options. As kubernetes does not support selinux in
this way, we tuck the selinux values into a pod annotation for
generation of the kube yaml. Then on play, we check annotations to see
if a value for the mount exists and apply it.
Fixes BZ #1984081
Signed-off-by: Brent Baude <bbaude@redhat.com>
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/domain/infra/abi/play.go | 2 | ||||
| -rw-r--r-- | pkg/specgen/generate/kube/kube.go | 11 |
2 files changed, 12 insertions, 1 deletions
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go index 35389ec5e..cf72a6253 100644 --- a/pkg/domain/infra/abi/play.go +++ b/pkg/domain/infra/abi/play.go @@ -319,8 +319,8 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY if err != nil { return nil, err } - specgenOpts := kube.CtrSpecGenOptions{ + Annotations: annotations, Container: initCtr, Image: pulledImage, Volumes: volumes, diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go index c01d7a1f0..27a1e5a72 100644 --- a/pkg/specgen/generate/kube/kube.go +++ b/pkg/specgen/generate/kube/kube.go @@ -12,6 +12,7 @@ import ( "github.com/containers/common/pkg/parse" "github.com/containers/common/pkg/secrets" "github.com/containers/image/v5/manifest" + "github.com/containers/podman/v3/libpod/define" "github.com/containers/podman/v3/libpod/network/types" ann "github.com/containers/podman/v3/pkg/annotations" "github.com/containers/podman/v3/pkg/domain/entities" @@ -86,6 +87,8 @@ func ToPodOpt(ctx context.Context, podName string, p entities.PodCreateOptions, } type CtrSpecGenOptions struct { + // Annotations from the Pod + Annotations map[string]string // Container as read from the pod yaml Container v1.Container // Image available to use (pulled or found local) @@ -289,6 +292,14 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener volume.MountPath = dest switch volumeSource.Type { case KubeVolumeTypeBindMount: + // If the container has bind mounts, we need to check if + // a selinux mount option exists for it + for k, v := range opts.Annotations { + // Make sure the z/Z option is not already there (from editing the YAML) + if strings.Replace(k, define.BindMountPrefix, "", 1) == volumeSource.Source && !util.StringInSlice("z", options) && !util.StringInSlice("Z", options) { + options = append(options, v) + } + } mount := spec.Mount{ Destination: volume.MountPath, Source: volumeSource.Source, |