github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-30 15:05:27 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #130138 from rata/userns-enabled-by-default

Browse Source 
features: Enable user namespaces by default
This commit is contained in:
Kubernetes Prow Robot 2025-03-12 20:13:48 -07:00 committed by GitHub
commit 761f5646be
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/features/versioned_kube_features.go
View File

@ -808,6 +808,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
UserNamespacesSupport: {
{Version: version.MustParse("1.25"), Default: false, PreRelease: featuregate.Alpha},
{Version: version.MustParse("1.30"), Default: false, PreRelease: featuregate.Beta},
{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta},
},
VolumeAttributesClass: {

5
pkg/kubelet/kubelet_test.go
View File

@ -97,6 +97,7 @@ import (
"k8s.io/kubernetes/pkg/kubelet/sysctl"
"k8s.io/kubernetes/pkg/kubelet/token"
kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
"k8s.io/kubernetes/pkg/kubelet/userns"
kubeletutil "k8s.io/kubernetes/pkg/kubelet/util"
"k8s.io/kubernetes/pkg/kubelet/util/queue"
kubeletvolume "k8s.io/kubernetes/pkg/kubelet/volumemanager"
@ -371,6 +372,10 @@ func newTestKubeletWithImageList(
ShutdownGracePeriodCriticalPods: 0,
})
kubelet.shutdownManager = shutdownManager
kubelet.usernsManager, err = userns.MakeUserNsManager(kubelet)
if err != nil {
t.Fatalf("Failed to create UserNsManager: %v", err)
}
kubelet.admitHandlers.AddPodAdmitHandler(shutdownManager)
// Add this as cleanup predicate pod admitter

8
test/e2e_node/proc_mount_test.go
View File

@ -41,7 +41,7 @@ var _ = SIGDescribe("DefaultProcMount [LinuxOnly]", framework.WithNodeConformanc
f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
ginkgo.It("will mask proc mounts by default", func(ctx context.Context) {
testProcMount(ctx, f, v1.DefaultProcMount, gomega.BeNumerically(">", 1), gomega.BeNumerically(">", 0))
testProcMount(ctx, f, v1.DefaultProcMount, true, gomega.BeNumerically(">", 1), gomega.BeNumerically(">", 0))
})
})
@ -85,11 +85,11 @@ var _ = SIGDescribe("ProcMount [LinuxOnly]", feature.ProcMountType, feature.User
if !supportsUserNS(ctx, f) {
e2eskipper.Skipf("runtime does not support user namespaces")
}
testProcMount(ctx, f, v1.UnmaskedProcMount, gomega.Equal(1), gomega.BeZero())
testProcMount(ctx, f, v1.UnmaskedProcMount, false, gomega.Equal(1), gomega.BeZero())
})
})
func testProcMount(ctx context.Context, f *framework.Framework, pmt v1.ProcMountType, expectedLines gomegatypes.GomegaMatcher, expectedReadOnly gomegatypes.GomegaMatcher) {
func testProcMount(ctx context.Context, f *framework.Framework, pmt v1.ProcMountType, hostUsers bool, expectedLines gomegatypes.GomegaMatcher, expectedReadOnly gomegatypes.GomegaMatcher) {
ginkgo.By("creating a target pod")
podClient := e2epod.NewPodClient(f)
pod := podClient.CreateSync(ctx, &v1.Pod{
@ -106,7 +106,7 @@ func testProcMount(ctx context.Context, f *framework.Framework, pmt v1.ProcMount
},
},
},
HostUsers: &falseVar,
HostUsers: &hostUsers,
},
})

4
test/featuregates_linter/test_data/versioned_feature_list.yaml
View File

@ -1520,6 +1520,10 @@
lockToDefault: false
preRelease: Beta
version: "1.30"
- default: true
lockToDefault: false
preRelease: Beta
version: "1.33"
- name: VolumeAttributesClass
versionedSpecs:
- default: false