kubelet: propagate errors from namespacesForPod

it is a preparatory change for the next commit.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano 2022-07-08 11:43:05 +02:00 committed by Rodrigo Campos
parent 695b30e91c
commit 67b38ffe6e
6 changed files with 45 additions and 19 deletions

View File

@ -45,15 +45,23 @@ func (m *kubeGenericRuntimeManager) applyPlatformSpecificContainerConfig(config
libcontainercgroups.IsCgroup2UnifiedMode() { libcontainercgroups.IsCgroup2UnifiedMode() {
enforceMemoryQoS = true enforceMemoryQoS = true
} }
config.Linux = m.generateLinuxContainerConfig(container, pod, uid, username, nsTarget, enforceMemoryQoS) cl, err := m.generateLinuxContainerConfig(container, pod, uid, username, nsTarget, enforceMemoryQoS)
if err != nil {
return err
}
config.Linux = cl
return nil return nil
} }
// generateLinuxContainerConfig generates linux container config for kubelet runtime v1. // generateLinuxContainerConfig generates linux container config for kubelet runtime v1.
func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string, nsTarget *kubecontainer.ContainerID, enforceMemoryQoS bool) *runtimeapi.LinuxContainerConfig { func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string, nsTarget *kubecontainer.ContainerID, enforceMemoryQoS bool) (*runtimeapi.LinuxContainerConfig, error) {
sc, err := m.determineEffectiveSecurityContext(pod, container, uid, username)
if err != nil {
return nil, err
}
lc := &runtimeapi.LinuxContainerConfig{ lc := &runtimeapi.LinuxContainerConfig{
Resources: &runtimeapi.LinuxContainerResources{}, Resources: &runtimeapi.LinuxContainerResources{},
SecurityContext: m.determineEffectiveSecurityContext(pod, container, uid, username), SecurityContext: sc,
} }
if nsTarget != nil && lc.SecurityContext.NamespaceOptions.Pid == runtimeapi.NamespaceMode_CONTAINER { if nsTarget != nil && lc.SecurityContext.NamespaceOptions.Pid == runtimeapi.NamespaceMode_CONTAINER {
@ -124,7 +132,7 @@ func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.C
} }
} }
return lc return lc, nil
} }
// calculateLinuxResources will create the linuxContainerResources type based on the provided CPU and memory resource requests, limits // calculateLinuxResources will create the linuxContainerResources type based on the provided CPU and memory resource requests, limits

View File

@ -47,6 +47,8 @@ func makeExpectedConfig(m *kubeGenericRuntimeManager, pod *v1.Pod, containerInde
restartCountUint32 := uint32(restartCount) restartCountUint32 := uint32(restartCount)
envs := make([]*runtimeapi.KeyValue, len(opts.Envs)) envs := make([]*runtimeapi.KeyValue, len(opts.Envs))
l, _ := m.generateLinuxContainerConfig(container, pod, new(int64), "", nil, enforceMemoryQoS)
expectedConfig := &runtimeapi.ContainerConfig{ expectedConfig := &runtimeapi.ContainerConfig{
Metadata: &runtimeapi.ContainerMetadata{ Metadata: &runtimeapi.ContainerMetadata{
Name: container.Name, Name: container.Name,
@ -64,7 +66,7 @@ func makeExpectedConfig(m *kubeGenericRuntimeManager, pod *v1.Pod, containerInde
Stdin: container.Stdin, Stdin: container.Stdin,
StdinOnce: container.StdinOnce, StdinOnce: container.StdinOnce,
Tty: container.TTY, Tty: container.TTY,
Linux: m.generateLinuxContainerConfig(container, pod, new(int64), "", nil, enforceMemoryQoS), Linux: l,
Envs: envs, Envs: envs,
} }
return expectedConfig return expectedConfig
@ -215,7 +217,8 @@ func TestGenerateLinuxContainerConfigResources(t *testing.T) {
}, },
} }
linuxConfig := m.generateLinuxContainerConfig(&pod.Spec.Containers[0], pod, new(int64), "", nil, false) linuxConfig, err := m.generateLinuxContainerConfig(&pod.Spec.Containers[0], pod, new(int64), "", nil, false)
assert.NoError(t, err)
assert.Equal(t, test.expected.CpuPeriod, linuxConfig.GetResources().CpuPeriod, test.name) assert.Equal(t, test.expected.CpuPeriod, linuxConfig.GetResources().CpuPeriod, test.name)
assert.Equal(t, test.expected.CpuQuota, linuxConfig.GetResources().CpuQuota, test.name) assert.Equal(t, test.expected.CpuQuota, linuxConfig.GetResources().CpuQuota, test.name)
assert.Equal(t, test.expected.CpuShares, linuxConfig.GetResources().CpuShares, test.name) assert.Equal(t, test.expected.CpuShares, linuxConfig.GetResources().CpuShares, test.name)
@ -329,6 +332,8 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
memoryLow int64 memoryLow int64
memoryHigh int64 memoryHigh int64
} }
l1, _ := m.generateLinuxContainerConfig(&pod1.Spec.Containers[0], pod1, new(int64), "", nil, true)
l2, _ := m.generateLinuxContainerConfig(&pod2.Spec.Containers[0], pod2, new(int64), "", nil, true)
tests := []struct { tests := []struct {
name string name string
pod *v1.Pod pod *v1.Pod
@ -338,7 +343,7 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
name: "Request128MBLimit256MB", name: "Request128MBLimit256MB",
pod: pod1, pod: pod1,
expected: &expectedResult{ expected: &expectedResult{
m.generateLinuxContainerConfig(&pod1.Spec.Containers[0], pod1, new(int64), "", nil, true), l1,
128 * 1024 * 1024, 128 * 1024 * 1024,
int64(float64(256*1024*1024) * m.memoryThrottlingFactor), int64(float64(256*1024*1024) * m.memoryThrottlingFactor),
}, },
@ -347,7 +352,7 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
name: "Request128MBWithoutLimit", name: "Request128MBWithoutLimit",
pod: pod2, pod: pod2,
expected: &expectedResult{ expected: &expectedResult{
m.generateLinuxContainerConfig(&pod2.Spec.Containers[0], pod2, new(int64), "", nil, true), l2,
128 * 1024 * 1024, 128 * 1024 * 1024,
int64(pod2MemoryHigh), int64(pod2MemoryHigh),
}, },
@ -355,7 +360,8 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
} }
for _, test := range tests { for _, test := range tests {
linuxConfig := m.generateLinuxContainerConfig(&test.pod.Spec.Containers[0], test.pod, new(int64), "", nil, true) linuxConfig, err := m.generateLinuxContainerConfig(&test.pod.Spec.Containers[0], test.pod, new(int64), "", nil, true)
assert.NoError(t, err)
assert.Equal(t, test.expected.containerConfig, linuxConfig, test.name) assert.Equal(t, test.expected.containerConfig, linuxConfig, test.name)
assert.Equal(t, linuxConfig.GetResources().GetUnified()["memory.min"], strconv.FormatInt(test.expected.memoryLow, 10), test.name) assert.Equal(t, linuxConfig.GetResources().GetUnified()["memory.min"], strconv.FormatInt(test.expected.memoryLow, 10), test.name)
assert.Equal(t, linuxConfig.GetResources().GetUnified()["memory.high"], strconv.FormatInt(test.expected.memoryHigh, 10), test.name) assert.Equal(t, linuxConfig.GetResources().GetUnified()["memory.high"], strconv.FormatInt(test.expected.memoryHigh, 10), test.name)
@ -577,7 +583,8 @@ func TestGenerateLinuxContainerConfigNamespaces(t *testing.T) {
}, },
} { } {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
got := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", tc.target, false) got, err := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", tc.target, false)
assert.NoError(t, err)
if diff := cmp.Diff(tc.want, got.SecurityContext.NamespaceOptions); diff != "" { if diff := cmp.Diff(tc.want, got.SecurityContext.NamespaceOptions); diff != "" {
t.Errorf("%v: diff (-want +got):\n%v", t.Name(), diff) t.Errorf("%v: diff (-want +got):\n%v", t.Name(), diff)
} }
@ -668,7 +675,8 @@ func TestGenerateLinuxContainerConfigSwap(t *testing.T) {
} { } {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
m.memorySwapBehavior = tc.swapSetting m.memorySwapBehavior = tc.swapSetting
actual := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", nil, false) actual, err := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", nil, false)
assert.NoError(t, err)
assert.Equal(t, tc.expected, actual.Resources.MemorySwapLimitInBytes, "memory swap config for %s", tc.name) assert.Equal(t, tc.expected, actual.Resources.MemorySwapLimitInBytes, "memory swap config for %s", tc.name)
}) })
} }

View File

@ -195,7 +195,11 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
if sc.RunAsGroup != nil && runtime.GOOS != "windows" { if sc.RunAsGroup != nil && runtime.GOOS != "windows" {
lc.SecurityContext.RunAsGroup = &runtimeapi.Int64Value{Value: int64(*sc.RunAsGroup)} lc.SecurityContext.RunAsGroup = &runtimeapi.Int64Value{Value: int64(*sc.RunAsGroup)}
} }
lc.SecurityContext.NamespaceOptions = runtimeutil.NamespacesForPod(pod) namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper)
if err != nil {
return nil, err
}
lc.SecurityContext.NamespaceOptions = namespaceOptions
if sc.FSGroup != nil && runtime.GOOS != "windows" { if sc.FSGroup != nil && runtime.GOOS != "windows" {
lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, int64(*sc.FSGroup)) lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, int64(*sc.FSGroup))

View File

@ -25,7 +25,7 @@ import (
) )
// determineEffectiveSecurityContext gets container's security context from v1.Pod and v1.Container. // determineEffectiveSecurityContext gets container's security context from v1.Pod and v1.Container.
func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container, uid *int64, username string) *runtimeapi.LinuxContainerSecurityContext { func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container, uid *int64, username string) (*runtimeapi.LinuxContainerSecurityContext, error) {
effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container) effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container)
synthesized := convertToRuntimeSecurityContext(effectiveSc) synthesized := convertToRuntimeSecurityContext(effectiveSc)
if synthesized == nil { if synthesized == nil {
@ -53,7 +53,11 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
} }
// set namespace options and supplemental groups. // set namespace options and supplemental groups.
synthesized.NamespaceOptions = runtimeutil.NamespacesForPod(pod) namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper)
if err != nil {
return nil, err
}
synthesized.NamespaceOptions = namespaceOptions
podSc := pod.Spec.SecurityContext podSc := pod.Spec.SecurityContext
if podSc != nil { if podSc != nil {
if podSc.FSGroup != nil { if podSc.FSGroup != nil {
@ -75,7 +79,7 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
synthesized.MaskedPaths = securitycontext.ConvertToRuntimeMaskedPaths(effectiveSc.ProcMount) synthesized.MaskedPaths = securitycontext.ConvertToRuntimeMaskedPaths(effectiveSc.ProcMount)
synthesized.ReadonlyPaths = securitycontext.ConvertToRuntimeReadonlyPaths(effectiveSc.ProcMount) synthesized.ReadonlyPaths = securitycontext.ConvertToRuntimeReadonlyPaths(effectiveSc.ProcMount)
return synthesized return synthesized, nil
} }
// convertToRuntimeSecurityContext converts v1.SecurityContext to runtimeapi.SecurityContext. // convertToRuntimeSecurityContext converts v1.SecurityContext to runtimeapi.SecurityContext.

View File

@ -97,12 +97,12 @@ func PidNamespaceForPod(pod *v1.Pod) runtimeapi.NamespaceMode {
return runtimeapi.NamespaceMode_CONTAINER return runtimeapi.NamespaceMode_CONTAINER
} }
// NamespacesForPod returns the runtimeapi.NamespaceOption for a given pod. // namespacesForPod returns the runtimeapi.NamespaceOption for a given pod.
// An empty or nil pod can be used to get the namespace defaults for v1.Pod. // An empty or nil pod can be used to get the namespace defaults for v1.Pod.
func NamespacesForPod(pod *v1.Pod) *runtimeapi.NamespaceOption { func NamespacesForPod(pod *v1.Pod, runtimeHelper kubecontainer.RuntimeHelper) (*runtimeapi.NamespaceOption, error) {
return &runtimeapi.NamespaceOption{ return &runtimeapi.NamespaceOption{
Ipc: IpcNamespaceForPod(pod), Ipc: IpcNamespaceForPod(pod),
Network: NetworkNamespaceForPod(pod), Network: NetworkNamespaceForPod(pod),
Pid: PidNamespaceForPod(pod), Pid: PidNamespaceForPod(pod),
} }, nil
} }

View File

@ -24,6 +24,7 @@ import (
v1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
kubecontainertest "k8s.io/kubernetes/pkg/kubelet/container/testing"
) )
func TestPodSandboxChanged(t *testing.T) { func TestPodSandboxChanged(t *testing.T) {
@ -222,7 +223,8 @@ func TestNamespacesForPod(t *testing.T) {
}, },
} { } {
t.Run(desc, func(t *testing.T) { t.Run(desc, func(t *testing.T) {
actual := NamespacesForPod(test.input) actual, err := NamespacesForPod(test.input, &kubecontainertest.FakeRuntimeHelper{})
require.NoError(t, err)
require.Equal(t, test.expected, actual) require.Equal(t, test.expected, actual)
}) })
} }