scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-06 13:18:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
128,785 Commits 1 Branch 0 Tags
master
Commit Graph

7 Commits

Author SHA1 Message Date
Jan Safranek
052f1fe820 Update tests 2025-02-28 16:42:20 +01:00
Jan Safranek
2050d6fc69 selinux: add a new SELinux translator to the controller 
A real SELinuxOptionsToFileLabel function needs access to host's
/etc/selinux to read the defaults. This is not possible in
kube-controller-manager that often runs in a container and does not have
access to /etc on the host. Even if it had, it could run on a different
Linux distro than worker nodes.

Therefore implement a custom SELinuxOptionsToFileLabel that does not
default fields in SELinuxOptions and uses just fields provided by the Pod.

Since the controller cannot default empty SELinux label components,
treat them as incomparable.
Example: "system_u:system_r:container_t:s0:c1,c2" *does not* conflict with ":::s0:c1,c2",
because the node that will run such a Pod may expand "":::s0:c1,c2" to "system_u:system_r:container_t:s0:c1,c2".
However, "system_u:system_r:container_t:s0:c1,c2" *does* conflict with ":::s0:c98,c99".
 2025-02-17 13:32:10 +01:00
Jan Safranek
8791efc732 Update property name in metrics 
selinux_volume_conflict should not have space in its label value - it's
harder to query for that value. Use SELinuxLabel as both human friendly (in
an event) and label value.
 2024-11-06 11:16:06 +01:00
Jan Safranek
3ff3ed4b6d Add comment how GetPodsForCSIDriver is useful 2024-11-06 11:16:06 +01:00
Jan Safranek
6eab8a8691 Use RWLock for the controller cache 
It could help a tiny bit with parallel operations.
 2024-11-06 11:16:06 +01:00
Jan Safranek
dfb88095b0 Rename label to seLinuxLabel 
In various parameters, variables and fields. To make the name more
obvious.
 2024-11-06 11:16:06 +01:00
Jan Safranek
aa8872d7a3 Add SELinux warning controller 2024-11-06 11:16:02 +01:00