Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix node.selinux configuration parameter & release Helm Chart v2.39.1 #2311

Merged
merged 2 commits into from
Jan 24, 2025
Merged

Fix node.selinux configuration parameter & release Helm Chart v2.39.1 #2311

merged 2 commits into from
Jan 24, 2025

Conversation

AndrewSirenko
Copy link
Contributor

@AndrewSirenko AndrewSirenko commented Jan 24, 2025
edited
Loading

What type of PR is this?

/kind bug

What is this PR about? / Why do we need it?

Fix node.selinux configuration parameter because Pod spec.volumes.hostpath does not have a readOnly. That belongs in pod.spec.containers.volumeMounts.

When you install via helm this readOnly is dropped with a warning. However this breaks add-on.

❯ helm upgrade --install aws-ebs-csi-driver \
    --namespace kube-system --set "node.selinux=true" \
    aws-ebs-csi-driver/aws-ebs-csi-driver
Release "aws-ebs-csi-driver" does not exist. Installing it now.
W0124 19:27:54.986662   29648 warnings.go:70] unknown field "spec.template.spec.volumes[4].hostPath.readOnly"
W0124 19:27:54.986683   29648 warnings.go:70] unknown field "spec.template.spec.volumes[5].hostPath.readOnly"

How was this change tested?

❯ helm template aws-ebs-csi-driver ./charts/aws-ebs-csi-driver > pre.yml
helm template aws-ebs-csi-driver ./charts/aws-ebs-csi-driver --set node.selinux=true > post.yml

diff pre.yml post.yml -C 5
*** pre.yml	2025-01-24 21:04:48.509855690 +0000
--- post.yml	2025-01-24 21:04:48.599854884 +0000
***************
*** 480,489 ****
--- 480,495 ----
                mountPropagation: "Bidirectional"
              - name: plugin-dir
                mountPath: /csi
              - name: device-dir
                mountPath: /dev
+             - name: selinux-sysfs
+               mountPath: /sys/fs/selinux
+               readOnly: true
+             - name: selinux-config
+               mountPath: /etc/selinux/config
+               readOnly: true
            ports:
              - name: healthz
                containerPort: 9808
                protocol: TCP
            livenessProbe:
***************
*** 576,585 ****
--- 582,599 ----
              type: Directory
          - name: device-dir
            hostPath:
              path: /dev
              type: Directory
+         - name: selinux-sysfs
+           hostPath:
+             path: /sys/fs/selinux
+             type: Directory
+         - name: selinux-config
+           hostPath:
+             path: /etc/selinux/config
+             type: File
          - name: probe-dir
            emptyDir: {}
  ---
  # Source: aws-ebs-csi-driver/templates/controller.yaml
  # Controller Service

❯ helm upgrade --install aws-ebs-csi-driver \
    --namespace kube-system --set "node.selinux=true" \
    charts/aws-ebs-csi-driver
Release "aws-ebs-csi-driver" does not exist. Installing it now.
NAME: aws-ebs-csi-driver
LAST DEPLOYED: Fri Jan 24 21:05:37 2025
NAMESPACE: kube-system
STATUS: deployed

❯ k get daemonset ebs-csi-node -o yaml -n kube-system | grep selinux -C 5
          name: kubelet-dir
        - mountPath: /csi
          name: plugin-dir
        - mountPath: /dev
          name: device-dir
        - mountPath: /sys/fs/selinux
          name: selinux-sysfs
          readOnly: true
        - mountPath: /etc/selinux/config
          name: selinux-config
          readOnly: true
      - args:
        - --csi-address=$(ADDRESS)
        - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
        - --v=2
--
      - hostPath:
          path: /dev
          type: Directory
        name: device-dir
      - hostPath:
          path: /sys/fs/selinux
          type: Directory
        name: selinux-sysfs
      - hostPath:
          path: /etc/selinux/config
          type: File
        name: selinux-config
      - emptyDir: {}
        name: probe-dir

Does this PR introduce a user-facing change?

NONE

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Jan 24, 2025
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jan 24, 2025
@github-actions GitHub Actions
Copy link

Code Coverage Diff

This PR does not change the code coverage

@AndrewSirenko
Copy link
Contributor Author

note I will cherrypick to release-139 branch.

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jan 24, 2025
@AndrewSirenko AndrewSirenko changed the title wip: Fix node.selinux configuration parameter Fix node.selinux configuration parameter & release Helm Chart v2.39.1 Jan 24, 2025
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 24, 2025
torredil
torredil approved these changes Jan 24, 2025
View reviewed changes
Copy link
Member

@torredil torredil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Validated the warnings are no longer present via helm upgrade --install aws-ebs-csi-driver --namespace kube-system ./charts/aws-ebs-csi-driver --values ./charts/aws-ebs-csi-driver/values.yaml --set node.selinux=true and that the values are rendered as expected:

kubectl describe pod ebs-csi-node-lfxl8 -n kube-system | grep "selinux-sysfs"                            
/sys/fs/selinux from selinux-sysfs (ro)

/lgtm
/approve
/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 24, 2025
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 24, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: torredil

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 24, 2025
@AndrewSirenko
Copy link
Contributor Author

/unhold

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 24, 2025
@AndrewSirenko
Copy link
Contributor Author

/cherry-pick release-1.39

@k8s-ci-robot k8s-ci-robot merged commit 223a08c into kubernetes-sigs:master Jan 24, 2025
15 of 16 checks passed
torredil
torredil approved these changes Jan 24, 2025
View reviewed changes
Copy link
Member

@torredil torredil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@AndrewSirenko AndrewSirenko mentioned this pull request Jan 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@torredil torredil torredil approved these changes

@ConnorJC3 ConnorJC3 Awaiting requested review from ConnorJC3

Assignees

@torredil torredil

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AndrewSirenko @k8s-ci-robot @torredil