feat(csidriver): declare seLinuxMount support #598
Conversation
Signed-off-by: Carlos Jorge <[email protected]>
| @@ -8,3 +8,4 @@ spec: | |||
| attachRequired: false | |||
| podInfoOnMount: false | |||
| storageCapacity: {{ .Values.feature.storageCapacity }} | |||
| seLinuxMount: true | |||
There was a problem hiding this comment.
Maybe set this via helm variable?
There was a problem hiding this comment.
moreover if this is supported in Kubernetes version ≥ 1.27 then why are we setting it to true as default
There was a problem hiding this comment.
It seems to be accepted from 1.25.x, so I suggest this:
| seLinuxMount: true | |
| {{- if semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version }} | |
| seLinuxMount: true | |
| {{- end }} |
| --- | ||
| title: SELinux Mount Support for LocalPV-ZFS | ||
| authors: | ||
| - "@cjorge-graphops" | ||
| creation-date: 2024-11-01 | ||
| last-updated: 2024-11-01 | ||
| --- |
There was a problem hiding this comment.
@tiagolobocastro Should this be here?
There was a problem hiding this comment.
You mean vs the root openebs? Seems we already have pv-migration here in this repo as well.
So basically, going forward do we want to keep designs per repo or on umbrella repo? CC @avishnu
There was a problem hiding this comment.
Let's just keep it here for now.
Let's discuss on the next maintainers call on how to organize these better.
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## develop #598 +/- ##
===========================================
- Coverage 96.37% 95.99% -0.38%
===========================================
Files 1 1
Lines 496 574 +78
===========================================
+ Hits 478 551 +73
- Misses 14 19 +5
Partials 4 4
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
| - Pod must specify SELinux level | ||
| - PV must be RWOP. | ||
|
|
||
| Note: I'm unsure this is necessary or makes sense to document, thoughts? |
There was a problem hiding this comment.
Yes I think it's good to document the requirements.
| @@ -2787,3 +2787,4 @@ spec: | |||
| attachRequired: false | |||
| podInfoOnMount: false | |||
| storageCapacity: true | |||
| seLinuxMount: true | |||
There was a problem hiding this comment.
| seLinuxMount: true | |
| {{- if semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version }} | |
| seLinuxMount: true | |
| {{- end }} |
| @@ -8,3 +8,4 @@ spec: | |||
| attachRequired: false | |||
| podInfoOnMount: false | |||
| storageCapacity: {{ .Values.feature.storageCapacity }} | |||
| seLinuxMount: true | |||
There was a problem hiding this comment.
It seems to be accepted from 1.25.x, so I suggest this:
| seLinuxMount: true | |
| {{- if semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version }} | |
| seLinuxMount: true | |
| {{- end }} |
Pull Request template
Please, go through these steps before you submit a PR.
Why is this PR required? What issue does it fix?:
Allows zfs-localpv to support efficient SELinux relabeling (https://kubernetes.io/blog/2023/04/18/kubernetes-1-27-efficient-selinux-relabeling-beta/)
What this PR does?:
Adds
seLinuxMount: trueto the CSIDriver spec, by default.Does this PR require any upgrade changes?:
No
If the changes in this PR are manually verified, list down the scenarios covered::
I've validated that when all the required conditions are met, kubelet passes an additional mount option for selinux context, which is supported by ZFS with no issues, effectively avoiding the relabeling step on preparing the PVC.
Any additional information for your reviewer? :
Related to #577
Checklist:
<type>(<scope>): <subject>