Skip to content

Commit

Permalink
mkpj: turn off label separation instead of relabelling
Browse files Browse the repository at this point in the history 
Relabelling directories on the host OS could have unforseen
consequences - e.g. preventing something on the host OS from accessing
the directory - so it's arguably safer to just turn off label
separation using --security-opt="label=disable".
  • Loading branch information
@markmc
markmc committed Mar 30, 2022
1 parent 667b9bd commit 217410b
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion config/mkpj.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,10 @@ config="${root}/config/prow/config.yaml"
job_config_path="${root}/config/jobs"

docker pull gcr.io/k8s-prow/mkpj 1>&2 || true
docker run -i --rm --user "$(id -u):$(id -g)" -v "${root}:${root}:z" gcr.io/k8s-prow/mkpj "--config-path=${config}" "--job-config-path=${job_config_path}" "$@"
docker run \
-i --rm \
--user "$(id -u):$(id -g)" \
-v "${root}:${root}" \
--security-opt="label=disable" \
gcr.io/k8s-prow/mkpj \
"--config-path=${config}" "--job-config-path=${job_config_path}" "$@"

0 comments on commit 217410b

Please sign in to comment.