Merge pull request #16801 from jsafrane/selinux-gce

Implement SELinuxMount feature gate for GCE
kubernetes · Sep 2, 2024 · adce725 · adce725
2 parents 801abbc + 08d494a
commit adce725
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/pkg/featureflag/featureflag.go b/pkg/featureflag/featureflag.go
@@ -85,7 +85,7 @@ var (
 	ImageDigest = new("ImageDigest", Bool(true))
 	// Scaleway toggles the Scaleway Cloud support.
 	Scaleway = new("Scaleway", Bool(false))
-	// SELinuxMount configures AWS EBS CSI driver for SELinuxMount support.
+	// SELinuxMount configures AWS EBS and GCE PD CSI drivers for SELinuxMount support.
 	// It expects than Kubernetes feature gate SELinuxMountReadWriteOncePod is
 	// enabled or GA in the API server, KCM and kubelet.
 	// OS with SELinux support on all nodes is recommended, but not required

diff --git a/upup/models/cloudup/resources/addons/gcp-pd-csi-driver.addons.k8s.io/k8s-1.23.yaml.template b/upup/models/cloudup/resources/addons/gcp-pd-csi-driver.addons.k8s.io/k8s-1.23.yaml.template
@@ -667,6 +667,10 @@ spec:
           name: udev-socket
         - mountPath: /sys
           name: sys
+{{ if KopsFeatureEnabled "SELinuxMount" }}
+        - name: etc-selinux
+          mountPath: /etc/selinux
+{{ end }}
       hostNetwork: true
       nodeSelector: null
       priorityClassName: csi-gce-pd-node
@@ -706,6 +710,12 @@ spec:
           path: /sys
           type: Directory
         name: sys
+{{ if KopsFeatureEnabled "SELinuxMount" }}
+      - name: etc-selinux
+        hostPath:
+          path: /etc/selinux
+          type: DirectoryOrCreate
+{{ end }}
 ---
 apiVersion: storage.k8s.io/v1
 kind: CSIDriver
@@ -714,3 +724,6 @@ metadata:
 spec:
   attachRequired: true
   podInfoOnMount: false
+{{ if KopsFeatureEnabled "SELinuxMount" }}
+  seLinuxMount: true
+{{ end }}