Merge pull request #8 from weka/sergey/selinux

Release v0.8.0: Add SELinux support

Dockerfile

@@ -23,7 +23,7 @@ FROM alpine:3.15
 LABEL maintainers="Weka"
 LABEL description="Weka CSI Driver"
 # Add util-linux to get a new version of losetup.
-RUN apk add util-linux
+RUN apk add util-linux libselinux libselinux-utils util-linux pciutils usbutils coreutils binutils findutils grep bash
 COPY --from=go-builder /bin/wekafsplugin /wekafsplugin
 ARG binary=/bin/wekafsplugin
 ENTRYPOINT ["/wekafsplugin"]

README.md

@@ -1,5 +1,5 @@
 # CSI WekaFS Driver
-![Version: 0.7.4](https://img.shields.io/badge/Version-0.7.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.7.4](https://img.shields.io/badge/AppVersion-v0.7.4-informational?style=flat-square)
+![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.8.0](https://img.shields.io/badge/AppVersion-v0.8.0-informational?style=flat-square)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/csi-wekafs)](https://artifacthub.io/packages/search?repo=csi-wekafs)
 
@@ -16,6 +16,7 @@ This repository hosts the CSI WekaFS driver and all of its build and dependent c
 
 ## Usage
 - [Deploy an Example application](docs/usage.md)
+- [SELinux Support & Installation Notes](selinux/README.md)
 
 ## Additional Documentation
 - [Official Weka CSI Plugin documentation](https://docs.weka.io/appendix/weka-csi-plugin)
@@ -33,17 +34,22 @@ make build
 |-----|------|---------|-------------|
 | dynamicProvisionPath | string | `"csi-volumes"` | Directory in root of file system where dynamic volumes are provisioned |
 | csiDriverName | string | `"csi.weka.io"` | Name of the driver (and provisioner) |
-| csiDriverVersion | string | `"0.7.4"` | CSI driver version |
+| csiDriverVersion | string | `"0.8.0"` | CSI driver version |
 | images.livenessprobesidecar | string | `"k8s.gcr.io/sig-storage/livenessprobe:v2.6.0"` | CSI liveness probe sidecar image URL |
 | images.attachersidecar | string | `"k8s.gcr.io/sig-storage/csi-attacher:v3.4.0"` | CSI attacher sidecar image URL |
 | images.provisionersidecar | string | `"k8s.gcr.io/sig-storage/csi-provisioner:v3.1.0"` | CSI provisioner sidecar image URL |
 | images.registrarsidecar | string | `"k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.5.0"` | CSI registrar sidercar |
 | images.resizersidecar | string | `"k8s.gcr.io/sig-storage/csi-resizer:v1.4.0"` | CSI provisioner sidecar image URL |
 | images.csidriver | string | `"quay.io/weka.io/csi-wekafs"` | CSI driver main image URL |
-| images.csidriverTag | string | `"0.7.4"` | CSI driver tag |
+| images.csidriverTag | string | `"0.8.0"` | CSI driver tag |
 | globalPluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for all CSI driver components |
 | controllerPluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for CSI controller component only (by default same as global) |
 | nodePluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for CSI node component only (by default same as global) |
 | nodeSelector | object | `{}` | Optional nodeSelector for CSI plugin deployment on certain Kubernetes nodes only |
 | logLevel | int | `5` | Log level of CSI plugin |
+| legacyVolumeSecretName | string | `""` | for migration of pre-CSI 0.7.0 volumes only, default API secret. Must reside in same namespace as the plugin |
+| priorityClassName | string | `""` | Optional CSI Plugin priorityClassName |
+| selinuxSupport | string | `"off"` | Support SELinux labeling for Persistent Volumes, may be either `off`, `mixed`, `enforced` (default off)    In `enforced` mode, CSI node components will only start on nodes having a label `selinuxNodeLabel` below    In `mixed` mode, separate CSI node components will be installed on SELinux-enabled and regular hosts    In `off` mode, only non-SELinux-enabled node components will be run on hosts without label.    WARNING: if SELinux is not enabled, volume provisioning and publishing might fail! |
+| selinuxNodeLabel | string | `"csi.weka.io/selinux_enabled"` | This label must be set to "true" on SELinux-enabled Kubernetes nodes,    e.g., to run the node server in secure mode on SELinux-enabled node, the node must have label    csi.weka.io/selinux_enabled="true" |
+| kubeletPath | string | `"/var/lib/kubelet"` | kubelet path, in cases Kubernetes is installed not in default folder |
 

README.md.gotmpl

@@ -16,6 +16,7 @@ This repository hosts the CSI WekaFS driver and all of its build and dependent c
 
 ## Usage
 - [Deploy an Example application](docs/usage.md)
+- [SELinux Support & Installation Notes](selinux/README.md)
 
 ## Additional Documentation
 - [Official Weka CSI Plugin documentation](https://docs.weka.io/appendix/weka-csi-plugin)

RELEASE.md

@@ -1,3 +1,18 @@
+# Release 0.8.0
+## New features
+### SELinux support
+Weka CSI Plugin can now work with SELinux-enabled Kubernetes clusters.  
+> **NOTE:** Special configuration is required to deploy the Weka CSI plugin in SELinux-compatible mode  
+> Refer to [SELinux Support Readme](selinux/README.md) for additional information
+## Improvements
+- Helm Charts were separated on per-object basis for better supportability
+- Custom `kubelet` path may be set, e.g. for using Kubernetes installed into non-default directory 
+
+## Bug Fixes
+- Part of new settings in `values.yaml` were not documented
+- Improved logging on failure to mount a filesystem due to authorization error
+- Fixed a situation in which `csi-registrar` container (part of node server) could enter crash loop due to `csi.Node.v1` not found
+
 # Release 0.7.4
 ## New features
 ### Support for authenticated FileSystems and additional organizations

cmd/wekafsplugin/main.go

@@ -44,7 +44,8 @@ var (
 	showVersion       = flag.Bool("version", false, "Show version.")
 	dynamicSubPath    = flag.String("dynamic-path", "csi-volumes",
 		"Store dynamically provisioned volumes in subdirectory rather than in root directory of th filesystem")
-	csimodetext = flag.String("csimode", "all", "Mode of CSI plugin, either \"controller\", \"node\", \"all\" (default)")
+	csimodetext    = flag.String("csimode", "all", "Mode of CSI plugin, either \"controller\", \"node\", \"all\" (default)")
+	selinuxSupport = flag.Bool("selinux-support", false, "Enable support for SELinux")
 	// Set by the build process
 	version = ""
 )
@@ -60,14 +61,19 @@ func main() {
 	if csiMode != wekafs.CsiModeAll && csiMode != wekafs.CsiModeController && csiMode != wekafs.CsiModeNode {
 		wekafs.Die("Invalid mode specified for CSI driver")
 	}
-	glog.Infof("Running in mode: %s", csiMode)
+	glog.Infof("Running in mode: %s, SELinux support: %s", csiMode, func() string {
+		if *selinuxSupport {
+			return "ON"
+		}
+		return "OFF"
+	}())
 
 	handle()
 	os.Exit(0)
 }
 
 func handle() {
-	driver, err := wekafs.NewWekaFsDriver(*driverName, *nodeID, *endpoint, *maxVolumesPerNode, version, *debugPath, *dynamicSubPath, csiMode)
+	driver, err := wekafs.NewWekaFsDriver(*driverName, *nodeID, *endpoint, *maxVolumesPerNode, version, *debugPath, *dynamicSubPath, csiMode, *selinuxSupport)
 	if err != nil {
 		fmt.Printf("Failed to initialize driver: %s", err.Error())
 		os.Exit(1)

deploy/helm/csi-wekafsplugin/Chart.yaml

@@ -2,9 +2,9 @@ apiVersion: v2
 name: csi-wekafsplugin
 description: Helm chart for Deployment of WekaIO Container Storage Interface (CSI) plugin for WekaFS - the world fastest filesystem
 sources:
-  - https://github.com/weka/csi-wekafs/tree/v0.7.4/deploy/helm/csi-wekafsplugin
+  - https://github.com/weka/csi-wekafs/tree/v0.8.0/deploy/helm/csi-wekafsplugin
 home: https://github.com/weka/csi-wekafs
 icon: https://weka.github.io/csi-wekafs/logo.png
 type: application
-version: 0.7.4
-appVersion: v0.7.4
+version: 0.8.0
+appVersion: v0.8.0

deploy/helm/csi-wekafsplugin/README.md

@@ -12,9 +12,12 @@ This repository hosts the CSI WekaFS driver and all of its build and dependent c
 ## Deployment
 ```shell
 helm repo add csi-wekafs https://weka.github.io/csi-wekafs
-helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafsplugin --create-namespace
+helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafsplugin --create-namespace [--set selinuxSupport=<off | mixed | enforced>]
 ```
 
+> **NOTE:** Since version 0.8.0, Weka CSI plugin supports installation on SELinux-enabled Kubernetes clusters
+> Refer to [SELinux Support & Installation Notes](selinux/README.md) for additional information
+
 > **NOTE:** Since version 0.7.0, Weka CSI plugin transitions to API-based deployment model which requires API
 > connectivity and credentials parameters to be set in Storage Class.
 >
@@ -28,6 +31,7 @@ helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafs
 
 ## Usage
 - [Deploy an Example application](https://github.com/weka/csi-wekafs/blob/master/docs/usage.md)
+- [SELinux Support & Installation Notes](selinux/README.md)
 
 ## Additional Documentation
 - [Official Weka CSI Plugin documentation](https://docs.weka.io/appendix/weka-csi-plugin)
@@ -38,17 +42,22 @@ helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafs
 |-----|------|---------|-------------|
 | dynamicProvisionPath | string | `"csi-volumes"` | Directory in root of file system where dynamic volumes are provisioned |
 | csiDriverName | string | `"csi.weka.io"` | Name of the driver (and provisioner) |
-| csiDriverVersion | string | `"0.7.4"` | CSI driver version |
+| csiDriverVersion | string | `"0.8.0"` | CSI driver version |
 | images.livenessprobesidecar | string | `"k8s.gcr.io/sig-storage/livenessprobe:v2.6.0"` | CSI liveness probe sidecar image URL |
 | images.attachersidecar | string | `"k8s.gcr.io/sig-storage/csi-attacher:v3.4.0"` | CSI attacher sidecar image URL |
 | images.provisionersidecar | string | `"k8s.gcr.io/sig-storage/csi-provisioner:v3.1.0"` | CSI provisioner sidecar image URL |
 | images.registrarsidecar | string | `"k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.5.0"` | CSI registrar sidercar |
 | images.resizersidecar | string | `"k8s.gcr.io/sig-storage/csi-resizer:v1.4.0"` | CSI provisioner sidecar image URL |
 | images.csidriver | string | `"quay.io/weka.io/csi-wekafs"` | CSI driver main image URL |
-| images.csidriverTag | string | `"0.7.4"` | CSI driver tag |
+| images.csidriverTag | string | `"0.8.0"` | CSI driver tag |
 | globalPluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for all CSI driver components |
 | controllerPluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for CSI controller component only (by default same as global) |
 | nodePluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for CSI node component only (by default same as global) |
 | nodeSelector | object | `{}` | Optional nodeSelector for CSI plugin deployment on certain Kubernetes nodes only |
 | logLevel | int | `5` | Log level of CSI plugin |
+| legacyVolumeSecretName | string | `""` | for migration of pre-CSI 0.7.0 volumes only, default API secret. Must reside in same namespace as the plugin |
+| priorityClassName | string | `""` | Optional CSI Plugin priorityClassName |
+| selinuxSupport | string | `"off"` | Support SELinux labeling for Persistent Volumes, may be either `off`, `mixed`, `enforced` (default off)    In `enforced` mode, CSI node components will only start on nodes having a label `selinuxNodeLabel` below    In `mixed` mode, separate CSI node components will be installed on SELinux-enabled and regular hosts    In `off` mode, only non-SELinux-enabled node components will be run on hosts without label.    WARNING: if SELinux is not enabled, volume provisioning and publishing might fail! |
+| selinuxNodeLabel | string | `"csi.weka.io/selinux_enabled"` | This label must be set to "true" on SELinux-enabled Kubernetes nodes,    e.g., to run the node server in secure mode on SELinux-enabled node, the node must have label    csi.weka.io/selinux_enabled="true" |
+| kubeletPath | string | `"/var/lib/kubelet"` | kubelet path, in cases Kubernetes is installed not in default folder |
 

deploy/helm/csi-wekafsplugin/README.md.gotmpl

@@ -12,9 +12,12 @@ This repository hosts the CSI WekaFS driver and all of its build and dependent c
 ## Deployment
 ```shell
 helm repo add csi-wekafs https://weka.github.io/csi-wekafs
-helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafsplugin --create-namespace
+helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafsplugin --create-namespace [--set selinuxSupport=<off | mixed | enforced>]
 ```
 
+> **NOTE:** Since version 0.8.0, Weka CSI plugin supports installation on SELinux-enabled Kubernetes clusters
+> Refer to [SELinux Support & Installation Notes](selinux/README.md) for additional information
+
 > **NOTE:** Since version 0.7.0, Weka CSI plugin transitions to API-based deployment model which requires API
 > connectivity and credentials parameters to be set in Storage Class.
 >
@@ -28,6 +31,7 @@ helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafs
 
 ## Usage
 - [Deploy an Example application](https://github.com/weka/csi-wekafs/blob/master/docs/usage.md)
+- [SELinux Support & Installation Notes](selinux/README.md)
 
 ## Additional Documentation
 - [Official Weka CSI Plugin documentation](https://docs.weka.io/appendix/weka-csi-plugin)

deploy/helm/csi-wekafsplugin/templates/NOTES.txt

@@ -8,3 +8,6 @@ To learn more about the release, try:
   $ helm get all {{ .Release.Name }}
 
 Official Weka CSI Plugin documentation can be found here: https://docs.weka.io/appendix/weka-csi-plugin
+
+Examples on how to configure a storage class and start using the driver are here:
+https://github.com/weka/csi-wekafs/tree/master/examples

deploy/helm/csi-wekafsplugin/templates/controllerserver-clusterrole.yaml

@@ -0,0 +1,63 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-controller
+  labels:
+    app: {{ .Release.Name }}-controller
+    component: {{ .Release.Name }}-controller
+    release: {{ .Release.Name }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments/status"]
+    verbs: ["patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodeinfos"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["create", "list", "watch", "delete", "get", "update"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents/status"]
+    verbs: ["update", "create", "get", "list", "watch", "delete", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots"]
+    verbs: ["get", "list", "watch", "update", "create", "delete", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots/status"]
+    verbs: ["get", "list", "watch", "update", "create", "delete", "patch"]

deploy/helm/csi-wekafsplugin/templates/controllerserver-clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-controller
+  labels:
+    app: {{ .Release.Name }}-controller
+    component: {{ .Release.Name }}-controller
+    release: {{ .Release.Name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-controller
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Release.Name }}-controller
+  apiGroup: rbac.authorization.k8s.io

deploy/helm/csi-wekafsplugin/templates/controllerserver-serviceaccount.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+imagePullSecrets:
+  - name: {{ .Release.Name }}-creds
+metadata:
+  name: {{ .Release.Name }}-controller
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}-controller
+    component: {{ .Release.Name }}-controller
+    release: {{ .Release.Name }}
+