Merge pull request #44097 from feiskyer/hostpid

Automatic merge from submit-queue Fix container hostPid settings **What this PR does / why we need it**: HostPid is not set correctly for containers. **Which issue this PR fixes** Fixes #44041. **Special notes for your reviewer**: Should be cherry-picked into v1.6 branch. **Release note**: ```release-note Fix container hostPid settings. ``` cc @yujuhong @derekwaynecarr @unclejack @kubernetes/sig-node-pr-reviews
2025-07-30 15:05:27 +00:00 · 2017-04-05 16:24:49 -07:00 · 2017-04-05 16:24:49 -07:00 · 7b7257ac79
commit 7b7257ac79
parent 729859abcf 023fe48c98
3 changed files with 10 additions and 10 deletions
--- a/pkg/kubelet/dockershim/security_context.go
+++ b/pkg/kubelet/dockershim/security_context.go
@ -167,7 +167,6 @@ func modifyHostNetworkOptionForContainer(hostNetwork bool, sandboxID string, hc
 	hc.NetworkMode = dockercontainer.NetworkMode(sandboxNSMode)
 	hc.IpcMode = dockercontainer.IpcMode(sandboxNSMode)
 	hc.UTSMode = ""
-	hc.PidMode = ""

 	if hostNetwork {
 		hc.UTSMode = namespaceModeHost
--- a/pkg/kubelet/dockershim/security_context_test.go
+++ b/pkg/kubelet/dockershim/security_context_test.go
@ -306,6 +306,7 @@ func TestModifyContainerNamespaceOptions(t *testing.T) {
 			expected: &dockercontainer.HostConfig{
 				NetworkMode: dockercontainer.NetworkMode(sandboxNSMode),
 				IpcMode:     dockercontainer.IpcMode(sandboxNSMode),
+				PidMode:     namespaceModeHost,
 			},
 		},
 	}
--- a/pkg/kubelet/kuberuntime/security_context.go
+++ b/pkg/kubelet/kuberuntime/security_context.go
@ -41,24 +41,24 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
 	}

 	// set namespace options and supplemental groups.
-	podSc := pod.Spec.SecurityContext
-	if podSc == nil {
-		return synthesized
-	}
 	synthesized.NamespaceOptions = &runtimeapi.NamespaceOption{
 		HostNetwork: pod.Spec.HostNetwork,
 		HostIpc:     pod.Spec.HostIPC,
 		HostPid:     pod.Spec.HostPID,
 	}
-	if podSc.FSGroup != nil {
-		synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, *podSc.FSGroup)
+	podSc := pod.Spec.SecurityContext
+	if podSc != nil {
+		if podSc.FSGroup != nil {
+			synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, *podSc.FSGroup)
+		}
+
+		if podSc.SupplementalGroups != nil {
+			synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, podSc.SupplementalGroups...)
+		}
 	}
 	if groups := m.runtimeHelper.GetExtraSupplementalGroupsForPod(pod); len(groups) > 0 {
 		synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, groups...)
 	}
-	if podSc.SupplementalGroups != nil {
-		synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, podSc.SupplementalGroups...)
-	}

 	return synthesized
 }