-
Notifications
You must be signed in to change notification settings - Fork 39.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[sig-storage] Run storage e2e test_client_pod as privileged #104551
[sig-storage] Run storage e2e test_client_pod as privileged #104551
Conversation
@Elbehery: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@Elbehery: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi @Elbehery. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
IIRC privileged containers don't get to bypass SELinux policies. So if SELinux was blocking them before, it will block them after. Please test carefully before going ahead with this approach. |
@gnufied i have tested this on a cluster with SELinux enabled and the test passed successfully |
/ok-to-test |
@@ -511,8 +511,9 @@ func TestVolumeClientSlow(f *framework.Framework, config TestConfig, fsGroup *in | |||
} | |||
|
|||
func testVolumeClient(f *framework.Framework, config TestConfig, fsGroup *int64, fsType string, tests []Test, slow bool) { | |||
privileged := true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Elbehery, thank you for working on this.
I have a question for you. Although this fixes the issue, could you check if you can set privileged = true
only when the HostPath plugin is being used? Perhaps we could add a flag for that in the plugin definition.
The idea is to avoid always going privileged. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bertinatto I have adjusted the fix to use privileged only for this scenario.
cc @vrutkovs
4f373a7
to
775a853
Compare
|
||
if (config.Prefix == "hostpathsymlink" || config.Prefix == "hostpath") && podSuffix == "client" { | ||
privileged = true | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Elbehery could you add a comment stating why you're making it privileged on hostpath? The explanation from the PR description looks good to me 😉
Also, I think you can remove the last condition (podSuffix == "client").
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bertinatto sure I add the comment 👍🏽 ..
Just about the podSuffix == "client"
condition, the test fails because the client-pod
can not read the data on the mounted volume when SELinux enabled, this will minimise the privileged pods.
Shall I remove it or leave it ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As we spoke offline, the pod that writes the content is already privileged (that's the reason it's able to write to the host's /tmp
directory). IMO we can safely remove podSuffix == "client"
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes I removed it already in the most recent commit 👍🏽
775a853
to
01b6743
Compare
@bertinatto I have added a comment and updated the commit msg |
01b6743
to
8a5a9bb
Compare
hostPath volume plugin creates a directory within /tmp on host machine, to be mounted as volume. inject-pod writes content to the volume, and a client-pod tried the read the contents and verify. when SELinux is enabled on the host, client-pod can not read the content, with permission denied. running the client-pod as privileged, so that it can access the volume content, even when SEinux is enabled on the host.
8a5a9bb
to
04ad18c
Compare
/lgtm |
/assign @jsafrane |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Elbehery, jsafrane The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/release-notes-none |
…age-client-1.20 Cherry pick of #104551: Run storage hostpath e2e test client pod as privileged
…age-client-1.21 Cherry pick of #104551: Run storage hostpath e2e test client pod as privileged
…age-client Cherry pick of #104551: Run storage hostpath e2e test client pod as privileged
What type of PR is this?
/kind bug
/kind storage
/kind failing-test
What this PR does / why we need it:
Fix running storage e2e tests in SELinux environment.
HostPath Volume Plugin creates a directory within
/tmp
on host machine, to be mounted as volume. Usually,Inject-pod
writes content to the volume, and aClient-pod
tried the read the contents and verify.When SELinux is enabled on the host,
Client-pod
can not read the content, withpermission denied
.This PR run the
Client-pod
as privileged, so that it can access the volume content, even when SELinux is enabled on the host.Which issue(s) this PR fixes:
Fixes #84585