func testPodSELinuxLabeling(f *framework.Framework, hostIPC bool, hostPID bool) { // Write and read a file with an empty_dir volume // with a pod with the MCS label s0:c0,c1 pod := scTestPod(hostIPC, hostPID) volumeName := "test-volume" mountPath := "/mounted_volume" pod.Spec.Containers[0].VolumeMounts = []api.VolumeMount{ { Name: volumeName, MountPath: mountPath, }, } pod.Spec.Volumes = []api.Volume{ { Name: volumeName, VolumeSource: api.VolumeSource{ EmptyDir: &api.EmptyDirVolumeSource{ Medium: api.StorageMediumDefault, }, }, }, } pod.Spec.SecurityContext.SELinuxOptions = &api.SELinuxOptions{ Level: "s0:c0,c1", } pod.Spec.Containers[0].Command = []string{"sleep", "6000"} client := f.ClientSet.Core().Pods(f.Namespace.Name) pod, err := client.Create(pod) framework.ExpectNoError(err, "Error creating pod %v", pod) framework.ExpectNoError(framework.WaitForPodRunningInNamespace(f.ClientSet, pod)) testContent := "hello" testFilePath := mountPath + "/TEST" err = f.WriteFileViaContainer(pod.Name, pod.Spec.Containers[0].Name, testFilePath, testContent) Expect(err).To(BeNil()) content, err := f.ReadFileViaContainer(pod.Name, pod.Spec.Containers[0].Name, testFilePath) Expect(err).To(BeNil()) Expect(content).To(ContainSubstring(testContent)) foundPod, err := f.ClientSet.Core().Pods(f.Namespace.Name).Get(pod.Name) Expect(err).NotTo(HaveOccurred()) // Confirm that the file can be accessed from a second // pod using host_path with the same MCS label volumeHostPath := fmt.Sprintf("%s/pods/%s/volumes/kubernetes.io~empty-dir/%s", framework.TestContext.KubeVolumeDir, foundPod.UID, volumeName) By(fmt.Sprintf("confirming a container with the same label can read the file under --volume-dir=%s", framework.TestContext.KubeVolumeDir)) pod = scTestPod(hostIPC, hostPID) pod.Spec.NodeName = foundPod.Spec.NodeName volumeMounts := []api.VolumeMount{ { Name: volumeName, MountPath: mountPath, }, } volumes := []api.Volume{ { Name: volumeName, VolumeSource: api.VolumeSource{ HostPath: &api.HostPathVolumeSource{ Path: volumeHostPath, }, }, }, } pod.Spec.Containers[0].VolumeMounts = volumeMounts pod.Spec.Volumes = volumes pod.Spec.Containers[0].Command = []string{"cat", testFilePath} pod.Spec.SecurityContext.SELinuxOptions = &api.SELinuxOptions{ Level: "s0:c0,c1", } f.TestContainerOutput("Pod with same MCS label reading test file", pod, 0, []string{testContent}) // Confirm that the same pod with a different MCS // label cannot access the volume pod = scTestPod(hostIPC, hostPID) pod.Spec.Volumes = volumes pod.Spec.Containers[0].VolumeMounts = volumeMounts pod.Spec.Containers[0].Command = []string{"sleep", "6000"} pod.Spec.SecurityContext.SELinuxOptions = &api.SELinuxOptions{ Level: "s0:c2,c3", } _, err = client.Create(pod) framework.ExpectNoError(err, "Error creating pod %v", pod) err = f.WaitForPodRunning(pod.Name) framework.ExpectNoError(err, "Error waiting for pod to run %v", pod) content, err = f.ReadFileViaContainer(pod.Name, "test-container", testFilePath) Expect(content).NotTo(ContainSubstring(testContent)) }