diff --git a/pkg/kubelet/kubelet_getters.go b/pkg/kubelet/kubelet_getters.go index 491ce594dd3..b51adf24174 100644 --- a/pkg/kubelet/kubelet_getters.go +++ b/pkg/kubelet/kubelet_getters.go @@ -120,8 +120,9 @@ func (kl *Kubelet) ListPodsFromDisk() ([]types.UID, error) { // user namespaces. func (kl *Kubelet) HandlerSupportsUserNamespaces(rtHandler string) (bool, error) { rtHandlers := kl.runtimeState.runtimeHandlers() - if rtHandlers == nil { - return false, fmt.Errorf("runtime handlers are not set") + if len(rtHandlers) == 0 { + // The slice is empty if the runtime is old and doesn't support this message. + return false, nil } for _, h := range rtHandlers { if h.Name == rtHandler { diff --git a/pkg/kubelet/userns/userns_manager.go b/pkg/kubelet/userns/userns_manager.go index 57d38b972df..728757b4f19 100644 --- a/pkg/kubelet/userns/userns_manager.go +++ b/pkg/kubelet/userns/userns_manager.go @@ -417,10 +417,15 @@ func (m *UsernsManager) GetOrCreateUserNamespaceMappings(pod *v1.Pod, runtimeHan // From here onwards, hostUsers=false and the feature gate is enabled. // if the pod requested a user namespace and the runtime doesn't support user namespaces then return an error. - if handlerSupportsUserns, err := m.kl.HandlerSupportsUserNamespaces(runtimeHandler); err != nil { - return nil, err - } else if !handlerSupportsUserns { - return nil, fmt.Errorf("RuntimeClass handler %q does not support user namespaces", runtimeHandler) + if handlerSupportsUserns, err := m.kl.HandlerSupportsUserNamespaces(runtimeHandler); err != nil || !handlerSupportsUserns { + msg := "can't set `spec.hostUsers: false`, runtime does not support user namespaces" + if runtimeHandler != "" { + msg = fmt.Sprintf("can't set `spec.hostUsers: false`, RuntimeClass handler %q does not support user namespaces", runtimeHandler) + } + if err != nil { + return nil, fmt.Errorf("%v: %w", msg, err) + } + return nil, fmt.Errorf("%v", msg) } m.lock.Lock() @@ -435,12 +440,12 @@ func (m *UsernsManager) GetOrCreateUserNamespaceMappings(pod *v1.Pod, runtimeHan if string(content) != "" { userNs, err = m.parseUserNsFileAndRecord(pod.UID, content) if err != nil { - return nil, err + return nil, fmt.Errorf("user namespace: %w", err) } } else { userNs, err = m.createUserNs(pod) if err != nil { - return nil, err + return nil, fmt.Errorf("create user namespace: %w", err) } } @@ -491,7 +496,7 @@ func (m *UsernsManager) CleanupOrphanedPodUsernsAllocations(pods []*v1.Pod, runn allFound := sets.New[string]() found, err := m.kl.ListPodsFromDisk() if err != nil { - return err + return fmt.Errorf("user namespace: read pods from disk: %w", err) } for _, podUID := range found {