-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add configurable selinux options for datamover backup: #8255
Conversation
none: no selinux changes (for non-selinux env). Default value no-relabeling: sets spc_t in securityContext to disable selinux enforcement in pod and to prevent relabeling on volume mount no-readonly: removes readOnly=true from pod spec.volumes Signed-off-by: Scott Seago <sseago@redhat.com>
9b6758d
to
dfb6e69
Compare
Converted to draft as I haven't tested this yet in a real cluster. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8255 +/- ##
==========================================
- Coverage 59.21% 59.15% -0.06%
==========================================
Files 367 368 +1
Lines 30841 30878 +37
==========================================
+ Hits 18262 18266 +4
- Misses 11119 11149 +30
- Partials 1460 1463 +3 ☔ View full report in Codecov by Sentry. |
No problems with either of the selinux options in backing up an OpenShift workload, although I have not yet verified either of the options with shallow copy/ceph. |
In doing some testing with this PR and ceph, I created my sample app with storageclass
Testing with the 3 options provided in this PR (verifying in all 3 cases that the PVC was created with ROX access mode):
|
@msfrucht See my results above -- it looks like for the ceph/ROX use case we must use the spc_t option rather than removing the readonly attribute from pod.spec.volumes. |
Closing PR, since we fixed this a different way. |
Thank you for contributing to Velero!
Please add a summary of your change
Current podified datamover fails on backup in clusters with SELinux enabled because the default relabeling behavior on volume mount fails for readonly volumes, and then SELinux prevents the pod user from accessing the
unlabeled_t
files.This provides user-configurable options via a new installer and node-agent server flag
--selinux-datamover
to configure the behavior, since there is no one-size-fits-all solution. The three valid non-empty values for this flag are:Does your change fix a particular issue?
Fixes #(issue)
Please indicate you've done the following:
make new-changelog
) or comment/kind changelog-not-required
on this PR.site/content/docs/main
.