github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-31 07:20:13 +00:00
Code Issues Projects Releases Wiki Activity

Enforce the Minimum Kernel Version 6.3 for UserNamespacesSupport feature

Browse Source 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
This commit is contained in:
Davanum Srinivas 2024-05-07 15:57:47 -04:00
parent 2aff7dbc52
commit 8597b343fa
No known key found for this signature in database
GPG Key ID: 80D83A796103BF59
2 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
pkg/kubelet/kubelet_pods.go
View File

@ -41,6 +41,7 @@ import (
"k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/sets"
utilvalidation "k8s.io/apimachinery/pkg/util/validation" utilvalidation "k8s.io/apimachinery/pkg/util/validation"
"k8s.io/apimachinery/pkg/util/version"
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
"k8s.io/klog/v2" "k8s.io/klog/v2"
@ -62,6 +63,7 @@ import (
kubetypes "k8s.io/kubernetes/pkg/kubelet/types" kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
"k8s.io/kubernetes/pkg/kubelet/util" "k8s.io/kubernetes/pkg/kubelet/util"
utilfs "k8s.io/kubernetes/pkg/util/filesystem" utilfs "k8s.io/kubernetes/pkg/util/filesystem"
utilkernel "k8s.io/kubernetes/pkg/util/kernel"
utilpod "k8s.io/kubernetes/pkg/util/pod" utilpod "k8s.io/kubernetes/pkg/util/pod"
volumeutil "k8s.io/kubernetes/pkg/volume/util" volumeutil "k8s.io/kubernetes/pkg/volume/util"
"k8s.io/kubernetes/pkg/volume/util/hostutil" "k8s.io/kubernetes/pkg/volume/util/hostutil"
@ -130,6 +132,17 @@ func (kl *Kubelet) getKubeletMappings() (uint32, uint32, error) {
if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesSupport) { if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesSupport) {
return defaultFirstID, defaultLen, nil return defaultFirstID, defaultLen, nil
} else {
kernelVersion, err := utilkernel.GetVersion()
if err != nil {
return 0, 0, fmt.Errorf("failed to get kernel version, unable to determine if feature %s can be supported : %w",
features.UserNamespacesSupport, err)
}
if kernelVersion != nil && !kernelVersion.AtLeast(version.MustParseGeneric(utilkernel.UserNamespacesSupportKernelVersion)) {
return 0, 0, fmt.Errorf(
"the kernel version (%s) is incompatible with the %s feature gate, which needs %s as a minimum kernel version",
kernelVersion, features.UserNamespacesSupport, utilkernel.UserNamespacesSupportKernelVersion)
}
} }
_, err := user.Lookup(kubeletUser) _, err := user.Lookup(kubeletUser)

4
pkg/util/kernel/constants.go
View File

@ -43,3 +43,7 @@ const TCPFinTimeoutNamespacedKernelVersion = "4.6"
// IPVSConnReuseModeFixedKernelVersion is the kernel version in which net.ipv4.vs.conn_reuse_mode was fixed. // IPVSConnReuseModeFixedKernelVersion is the kernel version in which net.ipv4.vs.conn_reuse_mode was fixed.
// (ref: https://github.com/torvalds/linux/commit/35dfb013149f74c2be1ff9c78f14e6a3cd1539d1) // (ref: https://github.com/torvalds/linux/commit/35dfb013149f74c2be1ff9c78f14e6a3cd1539d1)
const IPVSConnReuseModeFixedKernelVersion = "5.9" const IPVSConnReuseModeFixedKernelVersion = "5.9"
// UserNamespacesSupportKernelVersion is the kernel version where idmap for tmpfs support was added
// (ref: https://github.com/torvalds/linux/commit/05e6295f7b5e05f09e369a3eb2882ec5b40fff20)
const UserNamespacesSupportKernelVersion = "6.3"