From 556d713a4ad3a1f34d9eac8590468f33f3ec0cb2 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 15 Jun 2023 17:24:57 +0200 Subject: [PATCH] apis: drop check for volumes with user namespaces The second phase of user namespaces support was related to supporting only stateless pods. Since the changes were accepted for the KEP, now the scope is extended to support stateful pods as well. Remove the check that blocks creating PODs with volumes when using user namespaces. Signed-off-by: Giuseppe Scrivano --- pkg/apis/core/validation/validation.go | 19 ------------------- pkg/apis/core/validation/validation_test.go | 5 ++--- 2 files changed, 2 insertions(+), 22 deletions(-) diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go index 6502d9c210a..96f6be0839c 100644 --- a/pkg/apis/core/validation/validation.go +++ b/pkg/apis/core/validation/validation.go @@ -3256,25 +3256,6 @@ func validateHostUsers(spec *core.PodSpec, fldPath *field.Path) field.ErrorList return allErrs } - // For now only these volumes are supported: - // - configmap - // - secret - // - downwardAPI - // - emptyDir - // - projected - // So reject anything else. - for i, vol := range spec.Volumes { - switch { - case vol.EmptyDir != nil: - case vol.Secret != nil: - case vol.DownwardAPI != nil: - case vol.ConfigMap != nil: - case vol.Projected != nil: - default: - allErrs = append(allErrs, field.Forbidden(fldPath.Child("volumes").Index(i), "volume type not supported when `pod.Spec.HostUsers` is false")) - } - } - // We decided to restrict the usage of userns with other host namespaces: // https://github.com/kubernetes/kubernetes/pull/111090#discussion_r935994282 // The tl;dr is: you can easily run into permission issues that seem unexpected, we don't diff --git a/pkg/apis/core/validation/validation_test.go b/pkg/apis/core/validation/validation_test.go index 7474473f816..46167e32f49 100644 --- a/pkg/apis/core/validation/validation_test.go +++ b/pkg/apis/core/validation/validation_test.go @@ -21780,8 +21780,8 @@ func TestValidateHostUsers(t *testing.T) { }}, }, }, { - name: "hostUsers=false - unsupported volume", - success: false, + name: "hostUsers=false - stateful volume", + success: true, spec: &core.PodSpec{ SecurityContext: &core.PodSecurityContext{ HostUsers: &falseVar, @@ -21794,7 +21794,6 @@ func TestValidateHostUsers(t *testing.T) { }}, }, }, { - // It should ignore unsupported volumes with hostUsers=true. name: "hostUsers=true - unsupported volume", success: true, spec: &core.PodSpec{