feat(csidriver): declare seLinuxMount support #598
Conversation
Signed-off-by: Carlos Jorge <carlos@graphops.xyz>
| @@ -8,3 +8,4 @@ spec: | |||
| attachRequired: false | |||
| podInfoOnMount: false | |||
| storageCapacity: {{ .Values.feature.storageCapacity }} | |||
| seLinuxMount: true | |||
There was a problem hiding this comment.
Maybe set this via helm variable?
There was a problem hiding this comment.
moreover if this is supported in Kubernetes version ≥ 1.27 then why are we setting it to true as default
There was a problem hiding this comment.
It seems to be accepted from 1.25.x, so I suggest this:
| seLinuxMount: true | |
| {{- if semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version }} | |
| seLinuxMount: true | |
| {{- end }} |
| --- | ||
| title: SELinux Mount Support for LocalPV-ZFS | ||
| authors: | ||
| - "@cjorge-graphops" | ||
| creation-date: 2024-11-01 | ||
| last-updated: 2024-11-01 | ||
| --- |
There was a problem hiding this comment.
@tiagolobocastro Should this be here?
There was a problem hiding this comment.
You mean vs the root openebs? Seems we already have pv-migration here in this repo as well.
So basically, going forward do we want to keep designs per repo or on umbrella repo? CC @avishnu
There was a problem hiding this comment.
Let's just keep it here for now.
Let's discuss on the next maintainers call on how to organize these better.
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## develop #598 +/- ##
===========================================
- Coverage 96.37% 95.99% -0.38%
===========================================
Files 1 1
Lines 496 574 +78
===========================================
+ Hits 478 551 +73
- Misses 14 19 +5
Partials 4 4
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
| - Pod must specify SELinux level | ||
| - PV must be RWOP. | ||
|
|
||
| Note: I'm unsure this is necessary or makes sense to document, thoughts? |
There was a problem hiding this comment.
Yes I think it's good to document the requirements.
| @@ -2787,3 +2787,4 @@ spec: | |||
| attachRequired: false | |||
| podInfoOnMount: false | |||
| storageCapacity: true | |||
| seLinuxMount: true | |||
There was a problem hiding this comment.
| seLinuxMount: true | |
| {{- if semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version }} | |
| seLinuxMount: true | |
| {{- end }} |
| @@ -8,3 +8,4 @@ spec: | |||
| attachRequired: false | |||
| podInfoOnMount: false | |||
| storageCapacity: {{ .Values.feature.storageCapacity }} | |||
| seLinuxMount: true | |||
There was a problem hiding this comment.
It seems to be accepted from 1.25.x, so I suggest this:
| seLinuxMount: true | |
| {{- if semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version }} | |
| seLinuxMount: true | |
| {{- end }} |
|
Any updates here @cjorge-graphops ? |
I'm sorry, have been pressed for time. I will be able to address all the points raised here and try to push this forward soon (end of December / very early January) - and ofc, anyone can feel free to do so if they wish to do so earlier 🙇 I'll also document better the requirements as expressed, but just to leave a heads-up: this seLinuxMount functionality on k8s is still being worked and developed further (expanded to relax some of the constraints). As such that documentation will need to be kept up to date over the next months/year as the SIG evolves. I don't mind doing my best to maintain it, but I don't expect I'll be faster at it than this PR has been like through 2025... which leaves a bit to be desired in terms of being timely. |
That's great. Thanks for the contribution, looking forward to the changes. |
Pull Request template
Please, go through these steps before you submit a PR.
Why is this PR required? What issue does it fix?:
Allows zfs-localpv to support efficient SELinux relabeling (https://kubernetes.io/blog/2023/04/18/kubernetes-1-27-efficient-selinux-relabeling-beta/)
What this PR does?:
Adds
seLinuxMount: trueto the CSIDriver spec, by default.Does this PR require any upgrade changes?:
No
If the changes in this PR are manually verified, list down the scenarios covered::
I've validated that when all the required conditions are met, kubelet passes an additional mount option for selinux context, which is supported by ZFS with no issues, effectively avoiding the relabeling step on preparing the PVC.
Any additional information for your reviewer? :
Related to #577
Checklist:
<type>(<scope>): <subject>