github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-21 10:51:29 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #131782 from rata/automated-cherry-pick-of-#131623-upstream-release-1.32

Browse Source 
Automated cherry pick of #131623: kubelet: userns: Improve errors returned to the user
This commit is contained in:
Kubernetes Prow Robot 2025-06-05 21:28:37 -07:00 committed by GitHub
commit 2aa6d7d467
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/kubelet/kubelet_getters.go
View File

@ -120,8 +120,9 @@ func (kl *Kubelet) ListPodsFromDisk() ([]types.UID, error) {
// user namespaces.
func (kl *Kubelet) HandlerSupportsUserNamespaces(rtHandler string) (bool, error) {
rtHandlers := kl.runtimeState.runtimeHandlers()
if rtHandlers == nil {
return false, fmt.Errorf("runtime handlers are not set")
if len(rtHandlers) == 0 {
// The slice is empty if the runtime is old and doesn't support this message.
return false, nil
}
for _, h := range rtHandlers {
if h.Name == rtHandler {

19
pkg/kubelet/userns/userns_manager.go
View File

@ -406,10 +406,15 @@ func (m *UsernsManager) GetOrCreateUserNamespaceMappings(pod *v1.Pod, runtimeHan
// From here onwards, hostUsers=false and the feature gate is enabled.
// if the pod requested a user namespace and the runtime doesn't support user namespaces then return an error.
if handlerSupportsUserns, err := m.kl.HandlerSupportsUserNamespaces(runtimeHandler); err != nil {
return nil, err
} else if !handlerSupportsUserns {
return nil, fmt.Errorf("RuntimeClass handler %q does not support user namespaces", runtimeHandler)
if handlerSupportsUserns, err := m.kl.HandlerSupportsUserNamespaces(runtimeHandler); err != nil || !handlerSupportsUserns {
msg := "can't set `spec.hostUsers: false`, runtime does not support user namespaces"
if runtimeHandler != "" {
msg = fmt.Sprintf("can't set `spec.hostUsers: false`, RuntimeClass handler %q does not support user namespaces", runtimeHandler)
}
if err != nil {
return nil, fmt.Errorf("%v: %w", msg, err)
}
return nil, fmt.Errorf("%v", msg)
}
m.lock.Lock()
@ -424,12 +429,12 @@ func (m *UsernsManager) GetOrCreateUserNamespaceMappings(pod *v1.Pod, runtimeHan
if string(content) != "" {
userNs, err = m.parseUserNsFileAndRecord(pod.UID, content)
if err != nil {
return nil, err
return nil, fmt.Errorf("user namespace: %w", err)
}
} else {
userNs, err = m.createUserNs(pod)
if err != nil {
return nil, err
return nil, fmt.Errorf("create user namespace: %w", err)
}
}
@ -480,7 +485,7 @@ func (m *UsernsManager) CleanupOrphanedPodUsernsAllocations(pods []*v1.Pod, runn
allFound := sets.New[string]()
found, err := m.kl.ListPodsFromDisk()
if err != nil {
return err
return fmt.Errorf("user namespace: read pods from disk: %w", err)
}
for _, podUID := range found {