github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 19:56:01 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #131781 from rata/automated-cherry-pick-of-#131623-upstream-release-1.33

Browse Source 
Automated cherry pick of #131623: kubelet: userns: Improve errors returned to the user
This commit is contained in:
Kubernetes Prow Robot 2025-06-05 04:14:39 -07:00 committed by GitHub
commit 18edacf576
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/kubelet/kubelet_getters.go
View File

@ -120,8 +120,9 @@ func (kl *Kubelet) ListPodsFromDisk() ([]types.UID, error) {
// user namespaces. // user namespaces.
func (kl *Kubelet) HandlerSupportsUserNamespaces(rtHandler string) (bool, error) { func (kl *Kubelet) HandlerSupportsUserNamespaces(rtHandler string) (bool, error) {
rtHandlers := kl.runtimeState.runtimeHandlers() rtHandlers := kl.runtimeState.runtimeHandlers()
if rtHandlers == nil { if len(rtHandlers) == 0 {
return false, fmt.Errorf("runtime handlers are not set") // The slice is empty if the runtime is old and doesn't support this message.
return false, nil
} }
for _, h := range rtHandlers { for _, h := range rtHandlers {
if h.Name == rtHandler { if h.Name == rtHandler {

19
pkg/kubelet/userns/userns_manager.go
View File

@ -417,10 +417,15 @@ func (m *UsernsManager) GetOrCreateUserNamespaceMappings(pod *v1.Pod, runtimeHan
// From here onwards, hostUsers=false and the feature gate is enabled. // From here onwards, hostUsers=false and the feature gate is enabled.
// if the pod requested a user namespace and the runtime doesn't support user namespaces then return an error. // if the pod requested a user namespace and the runtime doesn't support user namespaces then return an error.
if handlerSupportsUserns, err := m.kl.HandlerSupportsUserNamespaces(runtimeHandler); err != nil { if handlerSupportsUserns, err := m.kl.HandlerSupportsUserNamespaces(runtimeHandler); err != nil || !handlerSupportsUserns {
return nil, err msg := "can't set `spec.hostUsers: false`, runtime does not support user namespaces"
} else if !handlerSupportsUserns { if runtimeHandler != "" {
return nil, fmt.Errorf("RuntimeClass handler %q does not support user namespaces", runtimeHandler) msg = fmt.Sprintf("can't set `spec.hostUsers: false`, RuntimeClass handler %q does not support user namespaces", runtimeHandler)
}
if err != nil {
return nil, fmt.Errorf("%v: %w", msg, err)
}
return nil, fmt.Errorf("%v", msg)
} }
m.lock.Lock() m.lock.Lock()
@ -435,12 +440,12 @@ func (m *UsernsManager) GetOrCreateUserNamespaceMappings(pod *v1.Pod, runtimeHan
if string(content) != "" { if string(content) != "" {
userNs, err = m.parseUserNsFileAndRecord(pod.UID, content) userNs, err = m.parseUserNsFileAndRecord(pod.UID, content)
if err != nil { if err != nil {
return nil, err return nil, fmt.Errorf("user namespace: %w", err)
} }
} else { } else {
userNs, err = m.createUserNs(pod) userNs, err = m.createUserNs(pod)
if err != nil { if err != nil {
return nil, err return nil, fmt.Errorf("create user namespace: %w", err)
} }
} }
@ -491,7 +496,7 @@ func (m *UsernsManager) CleanupOrphanedPodUsernsAllocations(pods []*v1.Pod, runn
allFound := sets.New[string]() allFound := sets.New[string]()
found, err := m.kl.ListPodsFromDisk() found, err := m.kl.ListPodsFromDisk()
if err != nil { if err != nil {
return err return fmt.Errorf("user namespace: read pods from disk: %w", err)
} }
for _, podUID := range found { for _, podUID := range found {