From 7688bc3a7a798ceb697c31ee538f25ff5659780d Mon Sep 17 00:00:00 2001 From: Alexandre Lossent Date: Mon, 2 Aug 2021 16:57:11 +0200 Subject: [PATCH] cephfs: support selinux mount options - mount host's /etc/selinux in node plugins - process mount options in all code paths for cephfs volume options Signed-off-by: Alexandre Lossent (cherry picked from commit 5cba04c470d259438f8608af9918d5d3ac338d58) --- .../ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml | 6 ++++++ charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml | 2 ++ charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml | 6 ++++++ charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml | 2 ++ deploy/cephfs/kubernetes/csi-cephfsplugin.yaml | 6 ++++++ deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml | 2 ++ deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml | 2 ++ deploy/rbd/kubernetes/csi-rbdplugin.yaml | 6 ++++++ internal/cephfs/volumeoptions.go | 8 ++++++++ 9 files changed, 40 insertions(+) diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml index a3b435a00..9d518d962 100644 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml +++ b/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml @@ -112,6 +112,9 @@ spec: name: host-mount - mountPath: /sys name: host-sys + - mountPath: /etc/selinux + name: etc-selinux + readOnly: true - mountPath: /lib/modules name: lib-modules readOnly: true @@ -167,6 +170,9 @@ spec: - name: host-sys hostPath: path: /sys + - name: etc-selinux + hostPath: + path: /etc/selinux - name: host-mount hostPath: path: /run/mount diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml index 3b3d76c84..0a261de84 100644 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml +++ b/charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml @@ -38,6 +38,8 @@ spec: readOnly: false - pathPrefix: '/sys' readOnly: false + - pathPrefix: '/etc/selinux' + readOnly: true - pathPrefix: '/lib/modules' readOnly: true - pathPrefix: '{{ .Values.kubeletDir }}' diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml index 1371eb7ed..09cde8939 100644 --- a/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml +++ b/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml @@ -106,6 +106,9 @@ spec: name: host-mount - mountPath: /sys name: host-sys + - mountPath: /etc/selinux + name: etc-selinux + readOnly: true - mountPath: /lib/modules name: lib-modules readOnly: true @@ -175,6 +178,9 @@ spec: - name: host-sys hostPath: path: /sys + - name: etc-selinux + hostPath: + path: /etc/selinux - name: lib-modules hostPath: path: /lib/modules diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml index 80a177ed0..fb9313c11 100644 --- a/charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml +++ b/charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml @@ -38,6 +38,8 @@ spec: readOnly: false - pathPrefix: '/sys' readOnly: false + - pathPrefix: '/etc/selinux' + readOnly: true - pathPrefix: '/lib/modules' readOnly: true - pathPrefix: '{{ .Values.kubeletDir }}' diff --git a/deploy/cephfs/kubernetes/csi-cephfsplugin.yaml b/deploy/cephfs/kubernetes/csi-cephfsplugin.yaml index fa2223c76..272a02060 100644 --- a/deploy/cephfs/kubernetes/csi-cephfsplugin.yaml +++ b/deploy/cephfs/kubernetes/csi-cephfsplugin.yaml @@ -84,6 +84,9 @@ spec: mountPropagation: "Bidirectional" - name: host-sys mountPath: /sys + - name: etc-selinux + mountPath: /etc/selinux + readOnly: true - name: lib-modules mountPath: /lib/modules readOnly: true @@ -137,6 +140,9 @@ spec: - name: host-sys hostPath: path: /sys + - name: etc-selinux + hostPath: + path: /etc/selinux - name: lib-modules hostPath: path: /lib/modules diff --git a/deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml b/deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml index 181925711..9c9b8a5a7 100644 --- a/deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml +++ b/deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml @@ -32,6 +32,8 @@ spec: readOnly: false - pathPrefix: '/sys' readOnly: false + - pathPrefix: '/etc/selinux' + readOnly: true - pathPrefix: '/lib/modules' readOnly: true - pathPrefix: '/var/lib/kubelet/pods' diff --git a/deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml b/deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml index 31e62ab7f..2df3b6cc4 100644 --- a/deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml +++ b/deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml @@ -32,6 +32,8 @@ spec: readOnly: false - pathPrefix: '/sys' readOnly: false + - pathPrefix: '/etc/selinux' + readOnly: true - pathPrefix: '/lib/modules' readOnly: true - pathPrefix: '/var/lib/kubelet/pods' diff --git a/deploy/rbd/kubernetes/csi-rbdplugin.yaml b/deploy/rbd/kubernetes/csi-rbdplugin.yaml index 3010a00d6..187027d4f 100644 --- a/deploy/rbd/kubernetes/csi-rbdplugin.yaml +++ b/deploy/rbd/kubernetes/csi-rbdplugin.yaml @@ -93,6 +93,9 @@ spec: name: host-sys - mountPath: /run/mount name: host-mount + - mountPath: /etc/selinux + name: etc-selinux + readOnly: true - mountPath: /lib/modules name: lib-modules readOnly: true @@ -153,6 +156,9 @@ spec: - name: host-sys hostPath: path: /sys + - name: etc-selinux + hostPath: + path: /etc/selinux - name: host-mount hostPath: path: /run/mount diff --git a/internal/cephfs/volumeoptions.go b/internal/cephfs/volumeoptions.go index 772dab81b..d07131c08 100644 --- a/internal/cephfs/volumeoptions.go +++ b/internal/cephfs/volumeoptions.go @@ -411,6 +411,14 @@ func newVolumeOptionsFromMonitorList( } } + if err = extractOptionalOption(&opts.KernelMountOptions, "kernelMountOptions", options); err != nil { + return nil, nil, err + } + + if err = extractOptionalOption(&opts.FuseMountOptions, "fuseMountOptions", options); err != nil { + return nil, nil, err + } + if err = extractMounter(&opts.Mounter, options); err != nil { return nil, nil, err }