From fb838f9e7ded1b02ed61b62a2f70d700b774ee84 Mon Sep 17 00:00:00 2001 From: Jan Safranek Date: Tue, 12 May 2020 11:02:24 +0200 Subject: [PATCH] Rework to new KEP directory and yaml metadata --- .../README.md} | 71 ++++++++++++------- .../1710-selinux-relabeling/kep.yaml | 36 ++++++++++ 2 files changed, 81 insertions(+), 26 deletions(-) rename keps/sig-storage/{20200319-selinux-relabeling.md => 1710-selinux-relabeling/README.md} (88%) create mode 100644 keps/sig-storage/1710-selinux-relabeling/kep.yaml diff --git a/keps/sig-storage/20200319-selinux-relabeling.md b/keps/sig-storage/1710-selinux-relabeling/README.md similarity index 88% rename from keps/sig-storage/20200319-selinux-relabeling.md rename to keps/sig-storage/1710-selinux-relabeling/README.md index e71dd19cfbb8..ea05a0769b5b 100644 --- a/keps/sig-storage/20200319-selinux-relabeling.md +++ b/keps/sig-storage/1710-selinux-relabeling/README.md @@ -8,19 +8,38 @@ participating-sigs: - sig-node reviewers: - "@msau42" + - "@gnufied" + - "@rhatdan" + - "@haircommander" + - "@saschagrunert" - "@liggit" - "@tallclair" approvers: - "@saad-ali" editor: TBD creation-date: 2020-02-18 -last-updated: 2020-02-18 -status: provisional +last-updated: 2020-05-12 +status: implementable see-also: - /keps/sig-storage/20200120-skip-permission-change.md replaces: superseded-by: +stage: alpha +latest-milestone: "v1.19" +milestone: + alpha: "v1.19" + beta: "v1.20" + stable: "v1.22" +feature-gate: + name: SELinuxRelabelPolicy + components: + - kube-apiserver + - kubelet +rollback-supported: true +metrics: + # TODO: fill at beta + --- # Skip SELinux relabeling of volumes @@ -41,7 +60,7 @@ superseded-by: - [mount -o context](#) - [New Kubernetes behavior](#new-kubernetes-behavior) - [Shared volumes](#shared-volumes) - - [CSIDriver.Spec.SELinuxMountSupport](#-1) + - [CSIDriver.Spec.SELinuxMountSupported](#-1) - [Examples](#examples) - [User Stories [optional]](#user-stories-optional) - [Story 1](#story-1) @@ -64,7 +83,7 @@ superseded-by: ## Release Signoff Checklist -- [ ] kubernetes/enhancements issue in release milestone, which links to KEP (this should be a link to the KEP location in kubernetes/enhancements, not the initial KEP PR) +- [x] kubernetes/enhancements issue in release milestone, which links to KEP (this should be a link to the KEP location in kubernetes/enhancements, not the initial KEP PR) - [ ] KEP approvers have set the KEP status to `implementable` - [ ] Design details are appropriately documented - [ ] Test plan is in place, giving consideration to SIG Architecture and SIG Testing input @@ -167,7 +186,7 @@ In order to allow `SELinuxRelabelPolicy: OnVolumeMount` for volumes provided by // CSIDriverSpec is the specification of a CSIDriver. type CSIDriverSpec struct { - // seLinuxMountSupport specifies if the CSI driver supports "-o context" + // SELinuxMountSupported specifies if the CSI driver supports "-o context" // mount option. // // When "true", Kubernetes may call NodeStage / NodePublish with "-o context=xyz" mount @@ -178,7 +197,7 @@ type CSIDriverSpec struct { // podSecurityContext.seLinuxRelabelPolicy "OnVolumeMount" is silently ignored. // // Default is "false". - SELinuxMountSupport *bool; + SELinuxMountSupporteded *bool; ... } @@ -202,7 +221,7 @@ In addition, calling `chcon` there will fail with `Operation not supported`. * If kubelet *knows* SELinux context of a pod / container to run (i.e. Pod/Container contains at least `SELinuxOptions.Level`): * And pod's `SELinuxRelabelPolicy` is `OnVolumeMount`: - * And if the in-tree volume plugin supports SELinux / `CSIDriver.Spec.SELinuxMountSupport` is explicitly `true`: + * And if the in-tree volume plugin supports SELinux / `CSIDriver.Spec.SELinuxMountSupported` is explicitly `true`: * Kubelet tries to mount the volume for the Pod with given SELinux label using `mount -o context=XYZ`. * Kubelet makes sure the option is passed to the first mount in all in-tree volume plugins (incl. ephemeral volumes like Secrets). * Kubelet passes it as a mount option to all CSI calls for given volume. @@ -212,7 +231,7 @@ In addition, calling `chcon` there will fail with `Operation not supported`. volume plugin reports an error and kubelet fails to start the pod. It is CSI driver fault that it advertises SELinux support and then fails to apply it. -* Nothing changes when `CSIDriver.Spec.SELinuxMountSupport` is `false` or not set: +* Nothing changes when `CSIDriver.Spec.SELinuxMountSupported` is `false` or not set: * CSI volume plugin calls CSI without any special SELinux mount options and it autodetects, if the volume supports SELinux or not by presence of `seclabel` mount option. This is current kubelet behavior. @@ -241,40 +260,40 @@ Only one pod will have access to the volume, this KEP only changes the selection The only regression is when two pods with different SELinux context use the same volume, but different SubPath - they were working before, as the container runtime relabeled only the subpaths, now the whole volume must have the same context. -### `CSIDriver.Spec.SELinuxMountSupport` +### `CSIDriver.Spec.SELinuxMountSupported` -The new field `CSIDriver.Spec.SELinuxMountSupport` is important so kubelet knows if mounts of volumes provided by the driver are independent on each other. +The new field `CSIDriver.Spec.SELinuxMountSupported` is important so kubelet knows if mounts of volumes provided by the driver are independent on each other. There are CSI drivers that actually use a single [NFS](https://github.com/kubernetes-incubator/external-storage/tree/master/nfs-client) or [GlusterFS](https://github.com/kubernetes-incubator/external-storage/tree/master/gluster/glusterfs) export and provide subdirectories of this export as individual PVs. If kubelet mounts such PV (i.e. a subdirectory) with `-o context=A`, all subsequent mounts of the same NFS/Gluster export must have the same SELinux context, despite being different PVs from Kubernetes perspective. -Since kubelet does not know about such limitation of a CSI driver, `CSIDriver.Spec.SELinuxMountSupport=false` (or `nil`) is needed to turn off mounting with `-o context`. +Since kubelet does not know about such limitation of a CSI driver, `CSIDriver.Spec.SELinuxMountSupported=false` (or `nil`) is needed to turn off mounting with `-o context`. ### Examples Following table captures interaction between actual filesystems on a volume and newly introduced flags. Hypothetic iscsi and NFS CSI drivers are used as an example of a volume based on a block device and shared filesystem. -| Volume | CSIDriver.SELinuxMountSupport | Pod.SELinuxRelabelPolicy | mount opts | docker run -v | | -|--------------|-------------------------------|--------------------------|------------|---------------|----| -| iscsi + ext4 | * | Always | - | :Z | 1) | -| | | | | | | -| iscsi + ext4 | false / nil | OnVolumeMount | - | :Z | 2) | -| iscsi + ext4 | true | OnVolumeMount | -o context | - | 3) | -| | | | | | | -| iscsi + ntfs | true | OnVolumeMount | -o context | - | 3) | -| iscsi + ntfs | false / nil | OnVolumeMount | - | - | 4) | -| iscsi + ntfs | * | Always | - | - | 5) | -| | | | | | | -| nfs | true | OnVolumeMount | -o context | - | 6) | -| nfs | false / nil | OnVolumeMount | - | - | 7) | +| Volume | CSIDriver.SELinuxMountSupported | Pod.SELinuxRelabelPolicy | mount opts | docker run -v | | +|--------------|---------------------------------|--------------------------|------------|---------------|----| +| iscsi + ext4 | * | Always | - | :Z | 1) | +| | | | | | | +| iscsi + ext4 | false / nil | OnVolumeMount | - | :Z | 2) | +| iscsi + ext4 | true | OnVolumeMount | -o context | - | 3) | +| | | | | | | +| iscsi + ntfs | true | OnVolumeMount | -o context | - | 3) | +| iscsi + ntfs | false / nil | OnVolumeMount | - | - | 4) | +| iscsi + ntfs | * | Always | - | - | 5) | +| | | | | | | +| nfs | true | OnVolumeMount | -o context | - | 6) | +| nfs | false / nil | OnVolumeMount | - | - | 7) | 1) Using `:Z`, because `seclabel` was autodetected in mount options (ext4 supports SELinux). -2) `OnVolumeMount` is ignored when `SELinuxMountSupport` is `false`. +2) `OnVolumeMount` is ignored when `SELinuxMountSupported` is `false`. While iscsi + ext4 supports `mount -o context`, either cluster admin did not update the CSIDriver yet (upgrading from older cluster) or has another reason for this. Using `:Z`, because `seclabel` was autodetected in mount options. 3) CSI driver supports `-o context` and pod asks for it. -4) `OnVolumeMount` is ignored when `SELinuxMountSupport` is `false`. +4) `OnVolumeMount` is ignored when `SELinuxMountSupported` is `false`. Using no `:Z`, because `seclabel` was not detected in mount options (ntfs does not support SELinux). 5) ntfs mount does not have `seclabel` option, so kubelet won’t pass `:Z` to CRI. diff --git a/keps/sig-storage/1710-selinux-relabeling/kep.yaml b/keps/sig-storage/1710-selinux-relabeling/kep.yaml new file mode 100644 index 000000000000..d7d66d65551a --- /dev/null +++ b/keps/sig-storage/1710-selinux-relabeling/kep.yaml @@ -0,0 +1,36 @@ +title: Skip SELinux relabeling of volumes +kep-number: 1710 +authors: + - "@jsafrane" +owning-sig: sig-storage +participating-sigs: + - sig-auth + - sig-node +status: implementable +creation-date: 2020-02-18 +reviewers: + - "@msau42" + - "@gnufied" + - "@rhatdan" + - "@haircommander" + - "@saschagrunert" + - "@liggit" + - "@tallclair" +approvers: + - "@saad-ali" +see-also: + - /keps/sig-storage/20200120-skip-permission-change.md +#stage: alpha +latest-milestone: "v1.19" +milestone: + alpha: "v1.19" + beta: "v1.20" + stable: "v1.22" +feature-gate: + name: SELinuxRelabelPolicy + components: + - kube-apiserver + - kubelet +rollback-supported: true +metrics: + # TODO: fill at beta