From 8d7842cf8a0ecb7a84a6b923e90b66fe63af0dec Mon Sep 17 00:00:00 2001 From: Matthew Wong Date: Wed, 6 Sep 2017 11:48:49 -0400 Subject: [PATCH] UPSTREAM: 50843: FlexVolume: Add ability to control 'SupportsSELinux' during driver's init phase --- .../pkg/volume/flexvolume/driver-call.go | 28 +++++++++++++- .../pkg/volume/flexvolume/mounter-defaults.go | 2 +- .../pkg/volume/flexvolume/plugin.go | 37 ++++++------------- 3 files changed, 40 insertions(+), 27 deletions(-) diff --git a/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/driver-call.go b/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/driver-call.go index 86644fc21ba9..0267fb88ed64 100644 --- a/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/driver-call.go +++ b/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/driver-call.go @@ -59,7 +59,8 @@ const ( optionKeyServiceAccountName = "kubernetes.io/serviceAccount.name" - attachCapability = "attach" + attachCapability = "attach" + selinuxRelabelCapability = "selinuxRelabel" ) const ( @@ -82,6 +83,11 @@ type DriverCall struct { args []string } +type driverCapabilities struct { + attach bool + selinuxRelabel bool +} + func (plugin *flexVolumePlugin) NewDriverCall(command string) *DriverCall { return plugin.NewDriverCallWithTimeout(command, 0) } @@ -235,3 +241,23 @@ func handleCmdResponse(cmd string, output []byte) (*DriverStatus, error) { return &status, nil } + +// getDriverCapabilities returns the reported capabilities as returned by driver's init() function +func (ds *DriverStatus) getDriverCapabilities() *driverCapabilities { + driverCaps := &driverCapabilities{ + attach: true, + selinuxRelabel: true, + } + + // Check if driver supports SELinux Relabeling of mounted volume + if dcap, ok := ds.Capabilities[selinuxRelabelCapability]; ok { + driverCaps.selinuxRelabel = dcap + } + + // Check whether the plugin is attachable. + if dcap, ok := ds.Capabilities[attachCapability]; ok { + driverCaps.attach = dcap + } + + return driverCaps +} diff --git a/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/mounter-defaults.go b/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/mounter-defaults.go index a8586b46ec93..a3996d4da3ca 100644 --- a/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/mounter-defaults.go +++ b/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/mounter-defaults.go @@ -47,7 +47,7 @@ func (f *mounterDefaults) GetAttributes() volume.Attributes { return volume.Attributes{ ReadOnly: f.readOnly, Managed: !f.readOnly, - SupportsSELinux: true, + SupportsSELinux: f.flexVolume.plugin.capabilities.selinuxRelabel, } } diff --git a/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/plugin.go b/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/plugin.go index d79c63c9bc9d..c4e1e4bd31eb 100644 --- a/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/plugin.go +++ b/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/plugin.go @@ -42,6 +42,7 @@ type flexVolumePlugin struct { runner exec.Interface sync.Mutex + capabilities *driverCapabilities unsupportedCommands []string } @@ -64,44 +65,30 @@ func NewFlexVolumePlugin(pluginDir, name string) (volume.VolumePlugin, error) { unsupportedCommands: []string{}, } - // Check whether the plugin is attachable. - ok, err := isAttachable(flexPlugin) + // Retrieve driver reported capabilities + call := flexPlugin.NewDriverCall(initCmd) + ds, err := call.Run() if err != nil { return nil, err } - if ok { - // Plugin supports attach/detach, so return flexVolumeAttachablePlugin + driverCaps := ds.getDriverCapabilities() + flexPlugin.capabilities = driverCaps + + // Check whether the plugin is attachable. + if driverCaps.attach { + // Plugin supports attach/detach by default, so return flexVolumeAttachablePlugin return &flexVolumeAttachablePlugin{flexVolumePlugin: flexPlugin}, nil } else { return flexPlugin, nil } } -func isAttachable(plugin *flexVolumePlugin) (bool, error) { - call := plugin.NewDriverCall(initCmd) - res, err := call.Run() - if err != nil { - return false, err - } - - // By default all plugins are attachable, unless they report otherwise. - cap, ok := res.Capabilities[attachCapability] - if ok { - // cap is false, so plugin does not support attach/detach calls. - return cap, nil - } - - return true, nil -} - // Init is part of the volume.VolumePlugin interface. func (plugin *flexVolumePlugin) Init(host volume.VolumeHost) error { plugin.host = host - // call the init script - call := plugin.NewDriverCall(initCmd) - _, err := call.Run() - return err + // Hardwired 'success' as any errors from calling init() will be caught by NewFlexVolumePlugin() + return nil } func (plugin *flexVolumePlugin) getExecutable() string {