rebase: update kubernetes to v1.25.0

update kubernetes to latest v1.25.0 release. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2025-06-13 10:33:35 +00:00 · 2022-08-24 07:54:25 +05:30
parent f47839d73d
commit e3bf375035
645 changed files with 42507 additions and 9219 deletions
--- a/vendor/k8s.io/kubernetes/pkg/volume/util/selinux.go
+++ b/vendor/k8s.io/kubernetes/pkg/volume/util/selinux.go
@ -0,0 +1,198 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"fmt"
+
+	"github.com/opencontainers/selinux/go-selinux"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	v1 "k8s.io/api/core/v1"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
+	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/pkg/volume"
+)
+
+// SELinuxLabelTranslator translates v1.SELinuxOptions of a process to SELinux file label.
+type SELinuxLabelTranslator interface {
+	// SELinuxOptionsToFileLabel returns SELinux file label for given SELinuxOptions
+	// of a container process.
+	// When Role, User or Type are empty, they're read from the system defaults.
+	// It returns "" and no error on platforms that do not have SELinux enabled
+	// or don't support SELinux at all.
+	SELinuxOptionsToFileLabel(opts *v1.SELinuxOptions) (string, error)
+
+	// SELinuxEnabled returns true when the OS has enabled SELinux support.
+	SELinuxEnabled() bool
+}
+
+// Real implementation of the interface.
+// On Linux with SELinux enabled it translates. Otherwise it always returns an empty string and no error.
+type translator struct{}
+
+var _ SELinuxLabelTranslator = &translator{}
+
+// NewSELinuxLabelTranslator returns new SELinuxLabelTranslator for the platform.
+func NewSELinuxLabelTranslator() SELinuxLabelTranslator {
+	return &translator{}
+}
+
+// SELinuxOptionsToFileLabel returns SELinux file label for given SELinuxOptions
+// of a container process.
+// When Role, User or Type are empty, they're read from the system defaults.
+// It returns "" and no error on platforms that do not have SELinux enabled
+// or don't support SELinux at all.
+func (l *translator) SELinuxOptionsToFileLabel(opts *v1.SELinuxOptions) (string, error) {
+	if opts == nil {
+		return "", nil
+	}
+
+	args := contextOptions(opts)
+	if len(args) == 0 {
+		return "", nil
+	}
+
+	processLabel, fileLabel, err := label.InitLabels(args)
+	if err != nil {
+		// In theory, this should be unreachable. InitLabels can fail only when args contain an unknown option,
+		// and all options returned by contextOptions are known.
+		return "", err
+	}
+	// InitLabels() may allocate a new unique SELinux label in kubelet memory. The label is *not* allocated
+	// in the container runtime. Clear it to avoid memory problems.
+	// ReleaseLabel on non-allocated label is NOOP.
+	selinux.ReleaseLabel(processLabel)
+
+	return fileLabel, nil
+}
+
+// Convert SELinuxOptions to []string accepted by label.InitLabels
+func contextOptions(opts *v1.SELinuxOptions) []string {
+	if opts == nil {
+		return nil
+	}
+	args := make([]string, 0, 3)
+	if opts.User != "" {
+		args = append(args, "user:"+opts.User)
+	}
+	if opts.Role != "" {
+		args = append(args, "role:"+opts.Role)
+	}
+	if opts.Type != "" {
+		args = append(args, "type:"+opts.Type)
+	}
+	if opts.Level != "" {
+		args = append(args, "level:"+opts.Level)
+	}
+	return args
+}
+
+func (l *translator) SELinuxEnabled() bool {
+	return selinux.GetEnabled()
+}
+
+// Fake implementation of the interface for unit tests.
+type fakeTranslator struct{}
+
+var _ SELinuxLabelTranslator = &fakeTranslator{}
+
+// NewFakeSELinuxLabelTranslator returns a fake translator for unit tests.
+// It imitates a real translator on platforms that do not have SELinux enabled
+// or don't support SELinux at all.
+func NewFakeSELinuxLabelTranslator() SELinuxLabelTranslator {
+	return &fakeTranslator{}
+}
+
+// SELinuxOptionsToFileLabel returns SELinux file label for given options.
+func (l *fakeTranslator) SELinuxOptionsToFileLabel(opts *v1.SELinuxOptions) (string, error) {
+	if opts == nil {
+		return "", nil
+	}
+	// Fill empty values from "system defaults" (taken from Fedora Linux).
+	user := opts.User
+	if user == "" {
+		user = "system_u"
+	}
+
+	role := opts.Role
+	if role == "" {
+		role = "object_r"
+	}
+
+	// opts is context of the *process* to run in a container. Translate
+	// process type "container_t" to file label type "container_file_t".
+	// (The rest of the context is the same for processes and files).
+	fileType := opts.Type
+	if fileType == "" || fileType == "container_t" {
+		fileType = "container_file_t"
+	}
+
+	level := opts.Level
+	if level == "" {
+		// If empty, level is allocated randomly.
+		level = "s0:c998,c999"
+	}
+
+	ctx := fmt.Sprintf("%s:%s:%s:%s", user, role, fileType, level)
+	return ctx, nil
+}
+
+func (l *fakeTranslator) SELinuxEnabled() bool {
+	return true
+}
+
+// SupportsSELinuxContextMount checks if the given volumeSpec supports with mount -o context
+func SupportsSELinuxContextMount(volumeSpec *volume.Spec, volumePluginMgr *volume.VolumePluginMgr) (bool, error) {
+	plugin, _ := volumePluginMgr.FindPluginBySpec(volumeSpec)
+	if plugin != nil {
+		return plugin.SupportsSELinuxContextMount(volumeSpec)
+	}
+
+	return false, nil
+}
+
+// VolumeSupportsSELinuxMount returns true if given volume access mode can support mount with SELinux mount options.
+func VolumeSupportsSELinuxMount(volumeSpec *volume.Spec) bool {
+	// Right now, SELinux mount is supported only for ReadWriteOncePod volumes.
+	if !utilfeature.DefaultFeatureGate.Enabled(features.ReadWriteOncePod) {
+		return false
+	}
+	if !utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
+		return false
+	}
+	if volumeSpec.PersistentVolume == nil {
+		return false
+	}
+	if len(volumeSpec.PersistentVolume.Spec.AccessModes) != 1 {
+		return false
+	}
+	if !v1helper.ContainsAccessMode(volumeSpec.PersistentVolume.Spec.AccessModes, v1.ReadWriteOncePod) {
+		return false
+	}
+	return true
+}
+
+// AddSELinuxMountOption adds -o context="XYZ" mount option to a given list
+func AddSELinuxMountOption(options []string, seLinuxContext string) []string {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
+		return options
+	}
+	// Use double quotes to support a comma "," in the SELinux context string.
+	// For example: dirsync,context="system_u:object_r:container_file_t:s0:c15,c25",noatime
+	return append(options, fmt.Sprintf("context=%q", seLinuxContext))
+}