From 17bab33bd2b8719c84e5ede1bd21b435ebeedf0e Mon Sep 17 00:00:00 2001
From: Qi Wang <qiwan@redhat.com>
Date: Fri, 21 Feb 2020 17:59:56 -0500
Subject: fix security-opt generate kube

fix #4950
add selinux options from --security-opt of the container to generate kube result

Signed-off-by: Qi Wang <qiwan@redhat.com>
---
 libpod/kube.go | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

(limited to 'libpod')

diff --git a/libpod/kube.go b/libpod/kube.go
index 7a5ab670d..5511d303d 100644
--- a/libpod/kube.go
+++ b/libpod/kube.go
@@ -468,11 +468,26 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
 		return nil, err
 	}
 
+	var selinuxOpts v1.SELinuxOptions
+	opts := strings.SplitN(c.config.Spec.Annotations[InspectAnnotationLabel], ":", 2)
+	if len(opts) == 2 {
+		switch opts[0] {
+		case "type":
+			selinuxOpts.Type = opts[1]
+		case "level":
+			selinuxOpts.Level = opts[1]
+		}
+	}
+	if len(opts) == 1 {
+		if opts[0] == "disable" {
+			selinuxOpts.Type = "spc_t"
+		}
+	}
+
 	sc := v1.SecurityContext{
-		Capabilities: newCaps,
-		Privileged:   &priv,
-		// TODO How do we know if selinux were passed into podman
-		//SELinuxOptions:
+		Capabilities:   newCaps,
+		Privileged:     &priv,
+		SELinuxOptions: &selinuxOpts,
 		// RunAsNonRoot is an optional parameter; our first implementations should be root only; however
 		// I'm leaving this as a bread-crumb for later
 		//RunAsNonRoot:             &nonRoot,
-- 
cgit v1.2.3-54-g00ecf