From 1ff6a5082a440fe4a4c3f3670534ab6185d26752 Mon Sep 17 00:00:00 2001
From: Brent Baude <bbaude@redhat.com>
Date: Wed, 29 Sep 2021 14:57:33 -0500
Subject: Support selinux options with bind mounts play/gen

When using play kube and generate kube, we need to support if bind
mounts have selinux options.  As kubernetes does not support selinux in
this way, we tuck the selinux values into a pod annotation for
generation of the kube yaml.  Then on play, we check annotations to see
if a value for the mount exists and apply it.

Fixes BZ #1984081

Signed-off-by: Brent Baude <bbaude@redhat.com>
---
 pkg/domain/infra/abi/play.go      |  2 +-
 pkg/specgen/generate/kube/kube.go | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

(limited to 'pkg')

diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
index 35389ec5e..cf72a6253 100644
--- a/pkg/domain/infra/abi/play.go
+++ b/pkg/domain/infra/abi/play.go
@@ -319,8 +319,8 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 		if err != nil {
 			return nil, err
 		}
-
 		specgenOpts := kube.CtrSpecGenOptions{
+			Annotations:       annotations,
 			Container:         initCtr,
 			Image:             pulledImage,
 			Volumes:           volumes,
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index c01d7a1f0..27a1e5a72 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -12,6 +12,7 @@ import (
 	"github.com/containers/common/pkg/parse"
 	"github.com/containers/common/pkg/secrets"
 	"github.com/containers/image/v5/manifest"
+	"github.com/containers/podman/v3/libpod/define"
 	"github.com/containers/podman/v3/libpod/network/types"
 	ann "github.com/containers/podman/v3/pkg/annotations"
 	"github.com/containers/podman/v3/pkg/domain/entities"
@@ -86,6 +87,8 @@ func ToPodOpt(ctx context.Context, podName string, p entities.PodCreateOptions,
 }
 
 type CtrSpecGenOptions struct {
+	// Annotations from the Pod
+	Annotations map[string]string
 	// Container as read from the pod yaml
 	Container v1.Container
 	// Image available to use (pulled or found local)
@@ -289,6 +292,14 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 		volume.MountPath = dest
 		switch volumeSource.Type {
 		case KubeVolumeTypeBindMount:
+			// If the container has bind mounts, we need to check if
+			// a selinux mount option exists for it
+			for k, v := range opts.Annotations {
+				// Make sure the z/Z option is not already there (from editing the YAML)
+				if strings.Replace(k, define.BindMountPrefix, "", 1) == volumeSource.Source && !util.StringInSlice("z", options) && !util.StringInSlice("Z", options) {
+					options = append(options, v)
+				}
+			}
 			mount := spec.Mount{
 				Destination: volume.MountPath,
 				Source:      volumeSource.Source,
-- 
cgit v1.2.3-54-g00ecf