mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
kubelet: propagate errors from namespacesForPod
it is a preparatory change for the next commit. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
parent
695b30e91c
commit
67b38ffe6e
@ -45,15 +45,23 @@ func (m *kubeGenericRuntimeManager) applyPlatformSpecificContainerConfig(config
|
|||||||
libcontainercgroups.IsCgroup2UnifiedMode() {
|
libcontainercgroups.IsCgroup2UnifiedMode() {
|
||||||
enforceMemoryQoS = true
|
enforceMemoryQoS = true
|
||||||
}
|
}
|
||||||
config.Linux = m.generateLinuxContainerConfig(container, pod, uid, username, nsTarget, enforceMemoryQoS)
|
cl, err := m.generateLinuxContainerConfig(container, pod, uid, username, nsTarget, enforceMemoryQoS)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
config.Linux = cl
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// generateLinuxContainerConfig generates linux container config for kubelet runtime v1.
|
// generateLinuxContainerConfig generates linux container config for kubelet runtime v1.
|
||||||
func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string, nsTarget *kubecontainer.ContainerID, enforceMemoryQoS bool) *runtimeapi.LinuxContainerConfig {
|
func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string, nsTarget *kubecontainer.ContainerID, enforceMemoryQoS bool) (*runtimeapi.LinuxContainerConfig, error) {
|
||||||
|
sc, err := m.determineEffectiveSecurityContext(pod, container, uid, username)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
lc := &runtimeapi.LinuxContainerConfig{
|
lc := &runtimeapi.LinuxContainerConfig{
|
||||||
Resources: &runtimeapi.LinuxContainerResources{},
|
Resources: &runtimeapi.LinuxContainerResources{},
|
||||||
SecurityContext: m.determineEffectiveSecurityContext(pod, container, uid, username),
|
SecurityContext: sc,
|
||||||
}
|
}
|
||||||
|
|
||||||
if nsTarget != nil && lc.SecurityContext.NamespaceOptions.Pid == runtimeapi.NamespaceMode_CONTAINER {
|
if nsTarget != nil && lc.SecurityContext.NamespaceOptions.Pid == runtimeapi.NamespaceMode_CONTAINER {
|
||||||
@ -124,7 +132,7 @@ func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.C
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return lc
|
return lc, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// calculateLinuxResources will create the linuxContainerResources type based on the provided CPU and memory resource requests, limits
|
// calculateLinuxResources will create the linuxContainerResources type based on the provided CPU and memory resource requests, limits
|
||||||
|
@ -47,6 +47,8 @@ func makeExpectedConfig(m *kubeGenericRuntimeManager, pod *v1.Pod, containerInde
|
|||||||
restartCountUint32 := uint32(restartCount)
|
restartCountUint32 := uint32(restartCount)
|
||||||
envs := make([]*runtimeapi.KeyValue, len(opts.Envs))
|
envs := make([]*runtimeapi.KeyValue, len(opts.Envs))
|
||||||
|
|
||||||
|
l, _ := m.generateLinuxContainerConfig(container, pod, new(int64), "", nil, enforceMemoryQoS)
|
||||||
|
|
||||||
expectedConfig := &runtimeapi.ContainerConfig{
|
expectedConfig := &runtimeapi.ContainerConfig{
|
||||||
Metadata: &runtimeapi.ContainerMetadata{
|
Metadata: &runtimeapi.ContainerMetadata{
|
||||||
Name: container.Name,
|
Name: container.Name,
|
||||||
@ -64,7 +66,7 @@ func makeExpectedConfig(m *kubeGenericRuntimeManager, pod *v1.Pod, containerInde
|
|||||||
Stdin: container.Stdin,
|
Stdin: container.Stdin,
|
||||||
StdinOnce: container.StdinOnce,
|
StdinOnce: container.StdinOnce,
|
||||||
Tty: container.TTY,
|
Tty: container.TTY,
|
||||||
Linux: m.generateLinuxContainerConfig(container, pod, new(int64), "", nil, enforceMemoryQoS),
|
Linux: l,
|
||||||
Envs: envs,
|
Envs: envs,
|
||||||
}
|
}
|
||||||
return expectedConfig
|
return expectedConfig
|
||||||
@ -215,7 +217,8 @@ func TestGenerateLinuxContainerConfigResources(t *testing.T) {
|
|||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
linuxConfig := m.generateLinuxContainerConfig(&pod.Spec.Containers[0], pod, new(int64), "", nil, false)
|
linuxConfig, err := m.generateLinuxContainerConfig(&pod.Spec.Containers[0], pod, new(int64), "", nil, false)
|
||||||
|
assert.NoError(t, err)
|
||||||
assert.Equal(t, test.expected.CpuPeriod, linuxConfig.GetResources().CpuPeriod, test.name)
|
assert.Equal(t, test.expected.CpuPeriod, linuxConfig.GetResources().CpuPeriod, test.name)
|
||||||
assert.Equal(t, test.expected.CpuQuota, linuxConfig.GetResources().CpuQuota, test.name)
|
assert.Equal(t, test.expected.CpuQuota, linuxConfig.GetResources().CpuQuota, test.name)
|
||||||
assert.Equal(t, test.expected.CpuShares, linuxConfig.GetResources().CpuShares, test.name)
|
assert.Equal(t, test.expected.CpuShares, linuxConfig.GetResources().CpuShares, test.name)
|
||||||
@ -329,6 +332,8 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
|
|||||||
memoryLow int64
|
memoryLow int64
|
||||||
memoryHigh int64
|
memoryHigh int64
|
||||||
}
|
}
|
||||||
|
l1, _ := m.generateLinuxContainerConfig(&pod1.Spec.Containers[0], pod1, new(int64), "", nil, true)
|
||||||
|
l2, _ := m.generateLinuxContainerConfig(&pod2.Spec.Containers[0], pod2, new(int64), "", nil, true)
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
pod *v1.Pod
|
pod *v1.Pod
|
||||||
@ -338,7 +343,7 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
|
|||||||
name: "Request128MBLimit256MB",
|
name: "Request128MBLimit256MB",
|
||||||
pod: pod1,
|
pod: pod1,
|
||||||
expected: &expectedResult{
|
expected: &expectedResult{
|
||||||
m.generateLinuxContainerConfig(&pod1.Spec.Containers[0], pod1, new(int64), "", nil, true),
|
l1,
|
||||||
128 * 1024 * 1024,
|
128 * 1024 * 1024,
|
||||||
int64(float64(256*1024*1024) * m.memoryThrottlingFactor),
|
int64(float64(256*1024*1024) * m.memoryThrottlingFactor),
|
||||||
},
|
},
|
||||||
@ -347,7 +352,7 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
|
|||||||
name: "Request128MBWithoutLimit",
|
name: "Request128MBWithoutLimit",
|
||||||
pod: pod2,
|
pod: pod2,
|
||||||
expected: &expectedResult{
|
expected: &expectedResult{
|
||||||
m.generateLinuxContainerConfig(&pod2.Spec.Containers[0], pod2, new(int64), "", nil, true),
|
l2,
|
||||||
128 * 1024 * 1024,
|
128 * 1024 * 1024,
|
||||||
int64(pod2MemoryHigh),
|
int64(pod2MemoryHigh),
|
||||||
},
|
},
|
||||||
@ -355,7 +360,8 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
linuxConfig := m.generateLinuxContainerConfig(&test.pod.Spec.Containers[0], test.pod, new(int64), "", nil, true)
|
linuxConfig, err := m.generateLinuxContainerConfig(&test.pod.Spec.Containers[0], test.pod, new(int64), "", nil, true)
|
||||||
|
assert.NoError(t, err)
|
||||||
assert.Equal(t, test.expected.containerConfig, linuxConfig, test.name)
|
assert.Equal(t, test.expected.containerConfig, linuxConfig, test.name)
|
||||||
assert.Equal(t, linuxConfig.GetResources().GetUnified()["memory.min"], strconv.FormatInt(test.expected.memoryLow, 10), test.name)
|
assert.Equal(t, linuxConfig.GetResources().GetUnified()["memory.min"], strconv.FormatInt(test.expected.memoryLow, 10), test.name)
|
||||||
assert.Equal(t, linuxConfig.GetResources().GetUnified()["memory.high"], strconv.FormatInt(test.expected.memoryHigh, 10), test.name)
|
assert.Equal(t, linuxConfig.GetResources().GetUnified()["memory.high"], strconv.FormatInt(test.expected.memoryHigh, 10), test.name)
|
||||||
@ -577,7 +583,8 @@ func TestGenerateLinuxContainerConfigNamespaces(t *testing.T) {
|
|||||||
},
|
},
|
||||||
} {
|
} {
|
||||||
t.Run(tc.name, func(t *testing.T) {
|
t.Run(tc.name, func(t *testing.T) {
|
||||||
got := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", tc.target, false)
|
got, err := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", tc.target, false)
|
||||||
|
assert.NoError(t, err)
|
||||||
if diff := cmp.Diff(tc.want, got.SecurityContext.NamespaceOptions); diff != "" {
|
if diff := cmp.Diff(tc.want, got.SecurityContext.NamespaceOptions); diff != "" {
|
||||||
t.Errorf("%v: diff (-want +got):\n%v", t.Name(), diff)
|
t.Errorf("%v: diff (-want +got):\n%v", t.Name(), diff)
|
||||||
}
|
}
|
||||||
@ -668,7 +675,8 @@ func TestGenerateLinuxContainerConfigSwap(t *testing.T) {
|
|||||||
} {
|
} {
|
||||||
t.Run(tc.name, func(t *testing.T) {
|
t.Run(tc.name, func(t *testing.T) {
|
||||||
m.memorySwapBehavior = tc.swapSetting
|
m.memorySwapBehavior = tc.swapSetting
|
||||||
actual := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", nil, false)
|
actual, err := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", nil, false)
|
||||||
|
assert.NoError(t, err)
|
||||||
assert.Equal(t, tc.expected, actual.Resources.MemorySwapLimitInBytes, "memory swap config for %s", tc.name)
|
assert.Equal(t, tc.expected, actual.Resources.MemorySwapLimitInBytes, "memory swap config for %s", tc.name)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -195,7 +195,11 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
|
|||||||
if sc.RunAsGroup != nil && runtime.GOOS != "windows" {
|
if sc.RunAsGroup != nil && runtime.GOOS != "windows" {
|
||||||
lc.SecurityContext.RunAsGroup = &runtimeapi.Int64Value{Value: int64(*sc.RunAsGroup)}
|
lc.SecurityContext.RunAsGroup = &runtimeapi.Int64Value{Value: int64(*sc.RunAsGroup)}
|
||||||
}
|
}
|
||||||
lc.SecurityContext.NamespaceOptions = runtimeutil.NamespacesForPod(pod)
|
namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
lc.SecurityContext.NamespaceOptions = namespaceOptions
|
||||||
|
|
||||||
if sc.FSGroup != nil && runtime.GOOS != "windows" {
|
if sc.FSGroup != nil && runtime.GOOS != "windows" {
|
||||||
lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, int64(*sc.FSGroup))
|
lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, int64(*sc.FSGroup))
|
||||||
|
@ -25,7 +25,7 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
// determineEffectiveSecurityContext gets container's security context from v1.Pod and v1.Container.
|
// determineEffectiveSecurityContext gets container's security context from v1.Pod and v1.Container.
|
||||||
func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container, uid *int64, username string) *runtimeapi.LinuxContainerSecurityContext {
|
func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container, uid *int64, username string) (*runtimeapi.LinuxContainerSecurityContext, error) {
|
||||||
effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container)
|
effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container)
|
||||||
synthesized := convertToRuntimeSecurityContext(effectiveSc)
|
synthesized := convertToRuntimeSecurityContext(effectiveSc)
|
||||||
if synthesized == nil {
|
if synthesized == nil {
|
||||||
@ -53,7 +53,11 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
|
|||||||
}
|
}
|
||||||
|
|
||||||
// set namespace options and supplemental groups.
|
// set namespace options and supplemental groups.
|
||||||
synthesized.NamespaceOptions = runtimeutil.NamespacesForPod(pod)
|
namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
synthesized.NamespaceOptions = namespaceOptions
|
||||||
podSc := pod.Spec.SecurityContext
|
podSc := pod.Spec.SecurityContext
|
||||||
if podSc != nil {
|
if podSc != nil {
|
||||||
if podSc.FSGroup != nil {
|
if podSc.FSGroup != nil {
|
||||||
@ -75,7 +79,7 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
|
|||||||
synthesized.MaskedPaths = securitycontext.ConvertToRuntimeMaskedPaths(effectiveSc.ProcMount)
|
synthesized.MaskedPaths = securitycontext.ConvertToRuntimeMaskedPaths(effectiveSc.ProcMount)
|
||||||
synthesized.ReadonlyPaths = securitycontext.ConvertToRuntimeReadonlyPaths(effectiveSc.ProcMount)
|
synthesized.ReadonlyPaths = securitycontext.ConvertToRuntimeReadonlyPaths(effectiveSc.ProcMount)
|
||||||
|
|
||||||
return synthesized
|
return synthesized, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// convertToRuntimeSecurityContext converts v1.SecurityContext to runtimeapi.SecurityContext.
|
// convertToRuntimeSecurityContext converts v1.SecurityContext to runtimeapi.SecurityContext.
|
||||||
|
@ -97,12 +97,12 @@ func PidNamespaceForPod(pod *v1.Pod) runtimeapi.NamespaceMode {
|
|||||||
return runtimeapi.NamespaceMode_CONTAINER
|
return runtimeapi.NamespaceMode_CONTAINER
|
||||||
}
|
}
|
||||||
|
|
||||||
// NamespacesForPod returns the runtimeapi.NamespaceOption for a given pod.
|
// namespacesForPod returns the runtimeapi.NamespaceOption for a given pod.
|
||||||
// An empty or nil pod can be used to get the namespace defaults for v1.Pod.
|
// An empty or nil pod can be used to get the namespace defaults for v1.Pod.
|
||||||
func NamespacesForPod(pod *v1.Pod) *runtimeapi.NamespaceOption {
|
func NamespacesForPod(pod *v1.Pod, runtimeHelper kubecontainer.RuntimeHelper) (*runtimeapi.NamespaceOption, error) {
|
||||||
return &runtimeapi.NamespaceOption{
|
return &runtimeapi.NamespaceOption{
|
||||||
Ipc: IpcNamespaceForPod(pod),
|
Ipc: IpcNamespaceForPod(pod),
|
||||||
Network: NetworkNamespaceForPod(pod),
|
Network: NetworkNamespaceForPod(pod),
|
||||||
Pid: PidNamespaceForPod(pod),
|
Pid: PidNamespaceForPod(pod),
|
||||||
}
|
}, nil
|
||||||
}
|
}
|
||||||
|
@ -24,6 +24,7 @@ import (
|
|||||||
v1 "k8s.io/api/core/v1"
|
v1 "k8s.io/api/core/v1"
|
||||||
runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
|
runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
|
||||||
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
|
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
|
||||||
|
kubecontainertest "k8s.io/kubernetes/pkg/kubelet/container/testing"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestPodSandboxChanged(t *testing.T) {
|
func TestPodSandboxChanged(t *testing.T) {
|
||||||
@ -222,7 +223,8 @@ func TestNamespacesForPod(t *testing.T) {
|
|||||||
},
|
},
|
||||||
} {
|
} {
|
||||||
t.Run(desc, func(t *testing.T) {
|
t.Run(desc, func(t *testing.T) {
|
||||||
actual := NamespacesForPod(test.input)
|
actual, err := NamespacesForPod(test.input, &kubecontainertest.FakeRuntimeHelper{})
|
||||||
|
require.NoError(t, err)
|
||||||
require.Equal(t, test.expected, actual)
|
require.Equal(t, test.expected, actual)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user