Rework to new KEP directory and yaml metadata

kubernetes · May 12, 2020 · fb838f9 · fb838f9
1 parent a0664f2
commit fb838f9
Show file tree

Hide file tree

Showing 2 changed files with 81 additions and 26 deletions.
diff --git a/...ig-storage/20200319-selinux-relabeling.md → ...storage/1710-selinux-relabeling/README.md b/...ig-storage/20200319-selinux-relabeling.md → ...storage/1710-selinux-relabeling/README.md
@@ -8,19 +8,38 @@ participating-sigs:
   - sig-node
 reviewers:
   - "@msau42"
+  - "@gnufied"
+  - "@rhatdan"
+  - "@haircommander"
+  - "@saschagrunert"
   - "@liggit"
   - "@tallclair"
 approvers:
   - "@saad-ali"
 editor: TBD
 creation-date: 2020-02-18
-last-updated: 2020-02-18
-status: provisional
+last-updated: 2020-05-12
+status: implementable
 see-also:
   - /keps/sig-storage/20200120-skip-permission-change.md
 replaces:
 superseded-by:
 
+stage: alpha
+latest-milestone: "v1.19"
+milestone:
+  alpha: "v1.19"
+  beta: "v1.20"
+  stable: "v1.22"
+feature-gate:
+  name: SELinuxRelabelPolicy
+  components:
+    - kube-apiserver
+    - kubelet
+rollback-supported: true
+metrics:
+  # TODO: fill at beta
+
 ---
 
 # Skip SELinux relabeling of volumes
@@ -41,7 +60,7 @@ superseded-by:
     - [<code>mount -o context</code>](#)
   - [New Kubernetes behavior](#new-kubernetes-behavior)
   - [Shared volumes](#shared-volumes)
-  - [<code>CSIDriver.Spec.SELinuxMountSupport</code>](#-1)
+  - [<code>CSIDriver.Spec.SELinuxMountSupported</code>](#-1)
   - [Examples](#examples)
   - [User Stories [optional]](#user-stories-optional)
     - [Story 1](#story-1)
@@ -64,7 +83,7 @@ superseded-by:
 
 ## Release Signoff Checklist
 
-- [ ] kubernetes/enhancements issue in release milestone, which links to KEP (this should be a link to the KEP location in kubernetes/enhancements, not the initial KEP PR)
+- [x] kubernetes/enhancements issue in release milestone, which links to KEP (this should be a link to the KEP location in kubernetes/enhancements, not the initial KEP PR)
 - [ ] KEP approvers have set the KEP status to `implementable`
 - [ ] Design details are appropriately documented
 - [ ] Test plan is in place, giving consideration to SIG Architecture and SIG Testing input
@@ -167,7 +186,7 @@ In order to allow `SELinuxRelabelPolicy: OnVolumeMount` for volumes provided by
 
 // CSIDriverSpec is the specification of a CSIDriver.
 type CSIDriverSpec struct {
-    // seLinuxMountSupport specifies if the CSI driver supports "-o context"
+    // SELinuxMountSupported specifies if the CSI driver supports "-o context"
     // mount option.
     //
     // When "true", Kubernetes may call NodeStage / NodePublish with "-o context=xyz" mount
@@ -178,7 +197,7 @@ type CSIDriverSpec struct {
     // podSecurityContext.seLinuxRelabelPolicy "OnVolumeMount" is silently ignored.
     //
     // Default is "false".
-    SELinuxMountSupport *bool;
+    SELinuxMountSupporteded *bool;
     ...
 }
 
@@ -202,7 +221,7 @@ In addition, calling `chcon` there will fail with `Operation not supported`.
 
 * If kubelet *knows* SELinux context of a pod / container to run (i.e. Pod/Container contains at least `SELinuxOptions.Level`):
     * And pod's `SELinuxRelabelPolicy` is `OnVolumeMount`:
-        * And if the in-tree volume plugin supports SELinux / `CSIDriver.Spec.SELinuxMountSupport` is explicitly `true`:
+        * And if the in-tree volume plugin supports SELinux / `CSIDriver.Spec.SELinuxMountSupported` is explicitly `true`:
             * Kubelet tries to mount the volume for the Pod with given SELinux label using `mount -o context=XYZ`.
                 * Kubelet makes sure the option is passed to the first mount in all in-tree volume plugins (incl. ephemeral volumes like Secrets).
                 * Kubelet passes it as a mount option to all CSI calls for given volume.
@@ -212,7 +231,7 @@ In addition, calling `chcon` there will fail with `Operation not supported`.
                   volume plugin reports an error and kubelet fails to start the pod.
                   It is CSI driver fault that it advertises SELinux support and then fails to apply it.
 
-* Nothing changes when `CSIDriver.Spec.SELinuxMountSupport` is `false` or not set:
+* Nothing changes when `CSIDriver.Spec.SELinuxMountSupported` is `false` or not set:
     * CSI volume plugin calls CSI without any special SELinux mount options and it autodetects, if the volume supports SELinux or not by presence of `seclabel` mount option.
       This is current kubelet behavior.
 
@@ -241,40 +260,40 @@ Only one pod will have access to the volume, this KEP only changes the selection
 The only regression is when two pods with different SELinux context use the same volume, but different SubPath - they were working before, as the container runtime relabeled only the subpaths, now the whole volume must have the same context.
 
 
-### `CSIDriver.Spec.SELinuxMountSupport`
+### `CSIDriver.Spec.SELinuxMountSupported`
 
-The new field `CSIDriver.Spec.SELinuxMountSupport` is important so kubelet knows if mounts of volumes provided by the driver are independent on each other.
+The new field `CSIDriver.Spec.SELinuxMountSupported` is important so kubelet knows if mounts of volumes provided by the driver are independent on each other.
 There are CSI drivers that actually use a single [NFS](https://github.com/kubernetes-incubator/external-storage/tree/master/nfs-client)
 or [GlusterFS](https://github.com/kubernetes-incubator/external-storage/tree/master/gluster/glusterfs)
 export and provide subdirectories of this export as individual PVs.
 If kubelet mounts such PV (i.e. a subdirectory) with `-o context=A`, all subsequent mounts of the same NFS/Gluster export must have the same SELinux context, despite being different PVs from Kubernetes perspective.
 
-Since kubelet does not know about such limitation of a CSI driver, `CSIDriver.Spec.SELinuxMountSupport=false` (or `nil`) is needed to turn off mounting with `-o context`.
+Since kubelet does not know about such limitation of a CSI driver, `CSIDriver.Spec.SELinuxMountSupported=false` (or `nil`) is needed to turn off mounting with `-o context`.
 
 ### Examples
 
 Following table captures interaction between actual filesystems on a volume  and newly introduced flags. Hypothetic iscsi and NFS CSI drivers are used as an example of a volume based on a block device and shared filesystem.
 
-| Volume       | CSIDriver.SELinuxMountSupport | Pod.SELinuxRelabelPolicy | mount opts | docker run -v |    |
-|--------------|-------------------------------|--------------------------|------------|---------------|----|
-| iscsi + ext4 | *                             | Always                   | -          | :Z            | 1) |
-|              |                               |                          |            |               |    |
-| iscsi + ext4 | false / nil                   | OnVolumeMount            | -          | :Z            | 2) |
-| iscsi + ext4 | true                          | OnVolumeMount            | -o context | -             | 3) |
-|              |                               |                          |            |               |    |
-| iscsi + ntfs | true                          | OnVolumeMount            | -o context | -             | 3) |
-| iscsi + ntfs | false / nil                   | OnVolumeMount            | -          | -             | 4) |
-| iscsi + ntfs | *                             | Always                   | -          | -             | 5) |
-|              |                               |                          |            |               |    |
-| nfs          | true                          | OnVolumeMount            | -o context | -             | 6) |
-| nfs          | false / nil                   | OnVolumeMount            | -          | -             | 7) |
+| Volume       | CSIDriver.SELinuxMountSupported | Pod.SELinuxRelabelPolicy | mount opts | docker run -v |    |
+|--------------|---------------------------------|--------------------------|------------|---------------|----|
+| iscsi + ext4 | *                               | Always                   | -          | :Z            | 1) |
+|              |                                 |                          |            |               |    |
+| iscsi + ext4 | false / nil                     | OnVolumeMount            | -          | :Z            | 2) |
+| iscsi + ext4 | true                            | OnVolumeMount            | -o context | -             | 3) |
+|              |                                 |                          |            |               |    |
+| iscsi + ntfs | true                            | OnVolumeMount            | -o context | -             | 3) |
+| iscsi + ntfs | false / nil                     | OnVolumeMount            | -          | -             | 4) |
+| iscsi + ntfs | *                               | Always                   | -          | -             | 5) |
+|              |                                 |                          |            |               |    |
+| nfs          | true                            | OnVolumeMount            | -o context | -             | 6) |
+| nfs          | false / nil                     | OnVolumeMount            | -          | -             | 7) |
 
 1) Using `:Z`, because `seclabel` was autodetected in mount options (ext4 supports SELinux).
-2) `OnVolumeMount` is ignored when `SELinuxMountSupport` is `false`.
+2) `OnVolumeMount` is ignored when `SELinuxMountSupported` is `false`.
    While iscsi + ext4 supports `mount -o context`, either cluster admin did not update the CSIDriver yet (upgrading from older cluster) or has another reason for this.
    Using `:Z`, because `seclabel` was autodetected in mount options.
 3) CSI driver supports `-o context` and pod asks for it.
-4) `OnVolumeMount` is ignored when `SELinuxMountSupport` is `false`.
+4) `OnVolumeMount` is ignored when `SELinuxMountSupported` is `false`.
    Using no `:Z`, because `seclabel` was not detected in mount options (ntfs does not support SELinux).
 5) ntfs mount does not have `seclabel` option, so kubelet won’t pass `:Z` to CRI.
 

diff --git a/keps/sig-storage/1710-selinux-relabeling/kep.yaml b/keps/sig-storage/1710-selinux-relabeling/kep.yaml
@@ -0,0 +1,36 @@
+title: Skip SELinux relabeling of volumes
+kep-number: 1710
+authors:
+  - "@jsafrane"
+owning-sig: sig-storage
+participating-sigs:
+  - sig-auth
+  - sig-node
+status: implementable
+creation-date: 2020-02-18
+reviewers:
+  - "@msau42"
+  - "@gnufied"
+  - "@rhatdan"
+  - "@haircommander"
+  - "@saschagrunert"
+  - "@liggit"
+  - "@tallclair"
+approvers:
+  - "@saad-ali"
+see-also:
+  - /keps/sig-storage/20200120-skip-permission-change.md
+#stage: alpha
+latest-milestone: "v1.19"
+milestone:
+  alpha: "v1.19"
+  beta: "v1.20"
+  stable: "v1.22"
+feature-gate:
+  name: SELinuxRelabelPolicy
+  components:
+    - kube-apiserver
+    - kubelet
+rollback-supported: true
+metrics:
+  # TODO: fill at beta