Conversation
When SELinux is enabled and enforcing, bind mounts need to be relabeled to work correctly in many cases. This is configured by adding the "z" option to --volume definitions (it is not supported with --mount type=bind). This adds a relabeling function to run.sh which adds the appropriate option to --volume definitions, and warns if it finds a --mount type=bind option. It also converts --mount type=bind declarations to the corresponding --volume definition. Signed-off-by: Stephen Kitt <skitt@redhat.com>
|
😊 Welcome @skitt! This is either your first contribution to the Istio common-files repo, or it's been You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
|
Hi @skitt. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
istio-testing
added
the
size/M
|
@skitt do you still need this? |
|
/ok-to-test |
istio-testing
added
ok-to-test
Yes, thanks for looking at the PR! |
4 participants
When SELinux is enabled and enforcing, bind mounts need to be relabeled to work correctly in many cases. This is configured by adding the "z" option to --volume definitions (it is not supported with --mount type=bind).
This adds a relabeling function to run.sh which adds the appropriate option to --volume definitions, and warns if it finds a --mount type=bind option. It also converts --mount type=bind declarations to the corresponding --volume definition.