-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
play kube selinux label issue #9205
Conversation
play kube function not respecting selinux options in kube yaml, all options were being mapped to role. fixes issue 8710 Signed-off-by: Steven Taylor <steven@taylormuff.co.uk>
Nice catch. |
Nice catch. @containers/podman-maintainers PTAL |
Code changes LGTM |
Would like to get this in for 3.0 final |
LGTM |
test case added to e2e test suite to validate process label being correctly set on play kube Signed-off-by: Steven Taylor <steven@taylormuff.co.uk>
@rhatdan have added an additional test case to play_kube_test to test this, it's not pretty but validates that the process label is set correctly |
Fixes: #8710 |
test/e2e/play_kube_test.go
Outdated
inspect.WaitWithDefaultTimeout() | ||
label := inspect.OutputToString() | ||
|
||
Expect(label).To(ContainSubstring("nconfined_u:system_r:spc_t:s0")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing a u
unconfined_u
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry my bad have just correct
LGTM |
fixed typo in the label comparison Signed-off-by: Steven Taylor <steven@taylormuff.co.uk>
@@ -803,6 +846,21 @@ var _ = Describe("Podman play kube", func() { | |||
|
|||
}) | |||
|
|||
It("podman play kube fail with custom selinux label", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to add.
if !selinux.GetEnabled() {
Skip("SELinux not enabled")
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry hadn't considered cases where selinux is not enabled, have updated the test
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan, st1971 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@@ -803,6 +846,21 @@ var _ = Describe("Podman play kube", func() { | |||
|
|||
}) | |||
|
|||
It("podman play kube fail with custom selinux label", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You have to add this to get pass the CI:
if !selinux.GetEnabled() {
Skip("SELinux not enabled")
}
And make sure you import github.com/opencontainers/selinux/go-selinux
at the top.
The test doesn't work on systems without selinux support like ubuntu.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry hadn't considered cases where selinux is not enabled, have updated the test
added skip to test case where selinux not enabled Signed-off-by: Steven Taylor <steven@taylormuff.co.uk>
/lgtm |
Thanks @st1971 |
/hold cancel |
play kube function not respecting selinux options in kube yaml, all options were
being mapped to role.
fixes issue 8710
Signed-off-by: Steven Taylor steven@taylormuff.co.uk