From 1ff6a5082a440fe4a4c3f3670534ab6185d26752 Mon Sep 17 00:00:00 2001 From: Brent Baude Date: Wed, 29 Sep 2021 14:57:33 -0500 Subject: Support selinux options with bind mounts play/gen When using play kube and generate kube, we need to support if bind mounts have selinux options. As kubernetes does not support selinux in this way, we tuck the selinux values into a pod annotation for generation of the kube yaml. Then on play, we check annotations to see if a value for the mount exists and apply it. Fixes BZ #1984081 Signed-off-by: Brent Baude --- pkg/domain/infra/abi/play.go | 2 +- pkg/specgen/generate/kube/kube.go | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) (limited to 'pkg') diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go index 35389ec5e..cf72a6253 100644 --- a/pkg/domain/infra/abi/play.go +++ b/pkg/domain/infra/abi/play.go @@ -319,8 +319,8 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY if err != nil { return nil, err } - specgenOpts := kube.CtrSpecGenOptions{ + Annotations: annotations, Container: initCtr, Image: pulledImage, Volumes: volumes, diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go index c01d7a1f0..27a1e5a72 100644 --- a/pkg/specgen/generate/kube/kube.go +++ b/pkg/specgen/generate/kube/kube.go @@ -12,6 +12,7 @@ import ( "github.com/containers/common/pkg/parse" "github.com/containers/common/pkg/secrets" "github.com/containers/image/v5/manifest" + "github.com/containers/podman/v3/libpod/define" "github.com/containers/podman/v3/libpod/network/types" ann "github.com/containers/podman/v3/pkg/annotations" "github.com/containers/podman/v3/pkg/domain/entities" @@ -86,6 +87,8 @@ func ToPodOpt(ctx context.Context, podName string, p entities.PodCreateOptions, } type CtrSpecGenOptions struct { + // Annotations from the Pod + Annotations map[string]string // Container as read from the pod yaml Container v1.Container // Image available to use (pulled or found local) @@ -289,6 +292,14 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener volume.MountPath = dest switch volumeSource.Type { case KubeVolumeTypeBindMount: + // If the container has bind mounts, we need to check if + // a selinux mount option exists for it + for k, v := range opts.Annotations { + // Make sure the z/Z option is not already there (from editing the YAML) + if strings.Replace(k, define.BindMountPrefix, "", 1) == volumeSource.Source && !util.StringInSlice("z", options) && !util.StringInSlice("Z", options) { + options = append(options, v) + } + } mount := spec.Mount{ Destination: volume.MountPath, Source: volumeSource.Source, -- cgit v1.2.3-54-g00ecf