Merge pull request #112961 from marosset/windows-hostnetwork-alpha

Windows hostnetwork alpha

pkg/features/kube_features.go

@@ -805,6 +805,13 @@ const (
 	// Allows kube-proxy to run in Overlay mode for Windows
 	WinOverlay featuregate.Feature = "WinOverlay"
 
+	// owner: @marosset
+	// kep: https://kep.k8s.io/3503
+	// alpha: v1.26
+	//
+	// Enables support for joining Windows containers to a hosts' network namespace.
+	WindowsHostNetwork featuregate.Feature = "WindowsHostNetwork"
+
 	// owner: @marosset
 	// alpha: v1.22
 	// beta: v1.23
@@ -1051,6 +1058,8 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 
 	WinOverlay: {Default: true, PreRelease: featuregate.Beta},
 
+	WindowsHostNetwork: {Default: true, PreRelease: featuregate.Alpha},
+
 	WindowsHostProcessContainers: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.28
 
 	NodeInclusionPolicyInPodTopologySpread: {Default: false, PreRelease: featuregate.Alpha},

pkg/kubelet/kuberuntime/kuberuntime_sandbox.go

@@ -25,8 +25,10 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	kubetypes "k8s.io/apimachinery/pkg/types"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 	"k8s.io/klog/v2"
+	"k8s.io/kubernetes/pkg/features"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	runtimeutil "k8s.io/kubernetes/pkg/kubelet/kuberuntime/util"
 	"k8s.io/kubernetes/pkg/kubelet/types"
@@ -232,6 +234,15 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxWindowsConfig(pod *v1.Pod)
 		SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{},
 	}
 
+	if utilfeature.DefaultFeatureGate.Enabled(features.WindowsHostNetwork) {
+		wc.SecurityContext.NamespaceOptions = &runtimeapi.WindowsNamespaceOption{}
+		if kubecontainer.IsHostNetworkPod(pod) {
+			wc.SecurityContext.NamespaceOptions.Network = runtimeapi.NamespaceMode_NODE
+		} else {
+			wc.SecurityContext.NamespaceOptions.Network = runtimeapi.NamespaceMode_POD
+		}
+	}
+
 	// If all of the containers in a pod are HostProcess containers, set the pod's HostProcess field
 	// explicitly because the container runtime requires this information at sandbox creation time.
 	if kubecontainer.HasWindowsHostProcessContainer(pod) {

pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go

@@ -27,7 +27,10 @@ import (
 	"github.com/stretchr/testify/require"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
+	"k8s.io/kubernetes/pkg/features"
 	containertest "k8s.io/kubernetes/pkg/kubelet/container/testing"
 	"k8s.io/kubernetes/pkg/kubelet/runtimeclass"
 	rctest "k8s.io/kubernetes/pkg/kubelet/runtimeclass/testing"
@@ -171,7 +174,7 @@ func newSeccompPod(podFieldProfile, containerFieldProfile *v1.SeccompProfile, po
 	return pod
 }
 
-func TestGeneratePodSandboxWindowsConfig(t *testing.T) {
+func TestGeneratePodSandboxWindowsConfig_HostProcess(t *testing.T) {
 	_, _, m, err := createTestRuntimeManager()
 	require.NoError(t, err)
 
@@ -339,13 +342,93 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) {
 
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
+			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostNetwork, false)()
 			pod := &v1.Pod{}
 			pod.Spec = *testCase.podSpec
 
 			wc, err := m.generatePodSandboxWindowsConfig(pod)
 
-			assert.Equal(t, wc, testCase.expectedWindowsConfig)
+			assert.Equal(t, testCase.expectedWindowsConfig, wc)
-			assert.Equal(t, err, testCase.expectedError)
+			assert.Equal(t, testCase.expectedError, err)
+		})
+	}
+}
+
+func TestGeneratePodSandboxWindowsConfig_HostNetwork(t *testing.T) {
+	_, _, m, err := createTestRuntimeManager()
+	require.NoError(t, err)
+
+	const containerName = "container"
+
+	testCases := []struct {
+		name                      string
+		hostNetworkFeatureEnabled bool
+		podSpec                   *v1.PodSpec
+		expectedWindowsConfig     *runtimeapi.WindowsPodSandboxConfig
+	}{
+		{
+			name:                      "feature disabled, hostNetwork=false",
+			hostNetworkFeatureEnabled: false,
+			podSpec: &v1.PodSpec{
+				HostNetwork: false,
+				Containers:  []v1.Container{{Name: containerName}},
+			},
+			expectedWindowsConfig: &runtimeapi.WindowsPodSandboxConfig{
+				SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{},
+			},
+		},
+		{
+			name:                      "feature disabled, hostNetwork=true",
+			hostNetworkFeatureEnabled: false,
+			podSpec: &v1.PodSpec{
+				HostNetwork: true,
+				Containers:  []v1.Container{{Name: containerName}},
+			},
+			expectedWindowsConfig: &runtimeapi.WindowsPodSandboxConfig{
+				SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{},
+			}},
+		{
+			name:                      "feature enabled, hostNetwork=false",
+			hostNetworkFeatureEnabled: true,
+			podSpec: &v1.PodSpec{
+				HostNetwork: false,
+				Containers:  []v1.Container{{Name: containerName}},
+			},
+			expectedWindowsConfig: &runtimeapi.WindowsPodSandboxConfig{
+				SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{
+					NamespaceOptions: &runtimeapi.WindowsNamespaceOption{
+						Network: runtimeapi.NamespaceMode_POD,
+					},
+				},
+			},
+		},
+		{
+			name:                      "feature enabled, hostNetwork=true",
+			hostNetworkFeatureEnabled: true,
+			podSpec: &v1.PodSpec{
+				HostNetwork: true,
+				Containers:  []v1.Container{{Name: containerName}},
+			},
+			expectedWindowsConfig: &runtimeapi.WindowsPodSandboxConfig{
+				SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{
+					NamespaceOptions: &runtimeapi.WindowsNamespaceOption{
+						Network: runtimeapi.NamespaceMode_NODE,
+					},
+				},
+			},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostNetwork, testCase.hostNetworkFeatureEnabled)()
+			pod := &v1.Pod{}
+			pod.Spec = *testCase.podSpec
+
+			wc, err := m.generatePodSandboxWindowsConfig(pod)
+
+			assert.Equal(t, testCase.expectedWindowsConfig, wc)
+			assert.Equal(t, nil, err)
 		})
 	}
 }

staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto

@@ -900,6 +900,13 @@ message LinuxContainerConfig {
     LinuxContainerSecurityContext security_context = 2;
 }
 
+// WindowsNamespaceOption provides options for Windows namespaces.
+message WindowsNamespaceOption {
+    // Network namespace for this container/sandbox.
+    // Namespaces currently set by the kubelet: POD, NODE
+    NamespaceMode network = 1;
+}
+
 // WindowsSandboxSecurityContext holds platform-specific configurations that will be
 // applied to a sandbox.
 // These settings will only apply to the sandbox container.
@@ -914,6 +921,9 @@ message WindowsSandboxSecurityContext {
 
     // Indicates whether the container requested to run as a HostProcess container.
     bool host_process = 3;
+
+    // Configuration for the sandbox's namespaces
+    WindowsNamespaceOption namespace_options = 4;
 }
 
 // WindowsPodSandboxConfig holds platform-specific configurations for Windows