Currently, there are some unit tests that are failing on Windows due to
various reasons:
- Windows file permissions do not work the same way as the Linux ones.
- cp does not exist on Windows, and xcopy should be used instead.
- Get-Item does not work for hidden files / folders like AppData, but
works if given the -Force flag.
These host paths have a well known location under /tmp/hostpath_pv
and are therefore safe to be labeled with the shared SELinux label.
Without this label, the mounted volumes cannot be accessed by the
container processes.
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
After the userns PR got merged:
https://github.com/kubernetes/kubernetes/pull/111090
gnufied decided it might be safer if we feature gate this part of the
code, due to the kubelet volume host type assertion.
That is a great catch and this patch just moves the code inside the
feature gate if.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
github.com/opencontainers/selinux/go-selinux needs OS that supports SELinux
and SELinux enabled in it to return useful data, therefore add an interface
in front of it, so we can mock its behavior in unit tests.
In theory the check is not necessary, but for sake of robustness and
completenes, let's check SELinuxMountReadWriteOncePod feature gate before
assuming anything about SELinux labels.
Add a new call to VolumePlugin interface and change all its
implementations.
Kubelet's VolumeManager will be interested whether a volume supports
mounting with -o conext=XYZ or not to hanle SetUp() / MountDevice()
accordingly.
Let volume plugins decide if they want to mount volumes with "-o
context=XYZ" or let the container runtime relabel the volume on container
startup.
Using NewMounter, as it's the call where a volume plugin gets the other MountOptions.
This commit only changes the UID/GID if user namespaces is enabled. When
it is enabled, it changes it so the hostUID and hostGID that are mapped
to the currently used UID/GID. This is needed so volumes are created
with the hostUID/hostGID and the user inside the container can read
them.
If user namespaces are disabled for this pod, this is a no-op: there is
no user namespace mapping, so the hostUID/hostGID are the same as inside
the container.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
In future commits we will need this to set the user/group of supported
volumes of KEP 127 - Phase 1.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Flocker storage plugin removed from k8s codebase.
Flocker, an early external storage plugin in k8s,
has not been in maintenance and their business is
down. As far as I know, the plugin is not being
used anymore.
This PR removes the whole flocker dependency and
codebase from core k8s to reduce potential security
risks and reduce maintenance work from the sig-storage community.
Currently, there are some unit tests that are failing on Windows due to
various reasons:
- volume mounting is a bit different on Windows: Mount will create the
parent dirs and mklink at the volume path later (otherwise mklink will
raise an error).
- os.Chmod is not working as intended on Windows.
- path.Dir() will always return "." on Windows, and filepath.Dir()
should be used instead (which works correctly).
- on Windows, you can't typically run binaries without extensions. If
the file C:\\foo.bat exists, we can still run C:\\foo because Windows
will append one of the supported file extensions ($env:PATHEXT) to it
and run it.
- Windows file permissions do not work the same way as the Linux ones.
- /tmp directory being used, which might not exist on Windows. Instead,
the OS-specific Temp directory should be used.
Fixes a few other issues:
- rbd.go: Return error in a case in which an error is encountered. This
will prevent "rbd: failed to setup" and "rbd: successfully setup" log
messages to be logged at the same time.
