kubelet: fix mixing up runtime classes with runtime handlers

Fix issue 123906 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2025-08-09 12:07:47 +00:00 · 2024-03-13 15:54:46 +09:00 · 2024-03-13 15:54:46 +09:00 · 8963e73f12
commit 8963e73f12
parent 1dc05009fe
5 changed files with 27 additions and 14 deletions
--- a/pkg/kubelet/kubelet_pods.go
+++ b/pkg/kubelet/kubelet_pods.go
@ -2445,28 +2445,32 @@ func (kl *Kubelet) cleanupOrphanedPodCgroups(pcm cm.PodContainerManager, cgroupP
 }

 func (kl *Kubelet) runtimeClassSupportsRecursiveReadOnlyMounts(pod *v1.Pod) bool {
-	var runtimeClassName string
-	if pod.Spec.RuntimeClassName != nil {
-		runtimeClassName = *pod.Spec.RuntimeClassName
+	if kl.runtimeClassManager == nil {
+		return false
+	}
+	runtimeHandlerName, err := kl.runtimeClassManager.LookupRuntimeHandler(pod.Spec.RuntimeClassName)
+	if err != nil {
+		klog.ErrorS(err, "failed to look up the runtime handler", "runtimeClassName", pod.Spec.RuntimeClassName)
+		return false
 	}
 	runtimeHandlers := kl.runtimeState.runtimeHandlers()
-	return runtimeClassSupportsRecursiveReadOnlyMounts(runtimeClassName, runtimeHandlers)
+	return runtimeHandlerSupportsRecursiveReadOnlyMounts(runtimeHandlerName, runtimeHandlers)
 }

-// runtimeClassSupportsRecursiveReadOnlyMounts checks whether the runtime class supports recursive read-only mounts.
+// runtimeHandlerSupportsRecursiveReadOnlyMounts checks whether the runtime handler supports recursive read-only mounts.
 // The kubelet feature gate is not checked here.
-func runtimeClassSupportsRecursiveReadOnlyMounts(runtimeClassName string, runtimeHandlers []kubecontainer.RuntimeHandler) bool {
+func runtimeHandlerSupportsRecursiveReadOnlyMounts(runtimeHandlerName string, runtimeHandlers []kubecontainer.RuntimeHandler) bool {
 	if len(runtimeHandlers) == 0 {
 		// The runtime does not support returning the handler list.
 		// No need to print a warning here.
 		return false
 	}
 	for _, h := range runtimeHandlers {
-		if h.Name == runtimeClassName {
+		if h.Name == runtimeHandlerName {
 			return h.SupportsRecursiveReadOnlyMounts
 		}
 	}
-	klog.ErrorS(nil, "unknown runtime class", "runtimeClassName", runtimeClassName)
+	klog.ErrorS(nil, "Unknown runtime handler", "runtimeHandlerName", runtimeHandlerName)
 	return false
 }

--- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
@ -193,7 +193,7 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
 		if sc.RunAsGroup != nil && runtime.GOOS != "windows" {
 			lc.SecurityContext.RunAsGroup = &runtimeapi.Int64Value{Value: int64(*sc.RunAsGroup)}
 		}
-		namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper)
+		namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper, m.runtimeClassManager)
 		if err != nil {
 			return nil, err
 		}
--- a/pkg/kubelet/kuberuntime/security_context.go
+++ b/pkg/kubelet/kuberuntime/security_context.go
@ -55,7 +55,7 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
 	}

 	// set namespace options and supplemental groups.
-	namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper)
+	namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper, m.runtimeClassManager)
 	if err != nil {
 		return nil, err
 	}
--- a/pkg/kubelet/kuberuntime/util/util.go
+++ b/pkg/kubelet/kuberuntime/util/util.go
@ -97,12 +97,21 @@ func PidNamespaceForPod(pod *v1.Pod) runtimeapi.NamespaceMode {
 	return runtimeapi.NamespaceMode_CONTAINER
 }

+// LookupRuntimeHandler is implemented by *runtimeclass.Manager.
+type RuntimeHandlerResolver interface {
+	LookupRuntimeHandler(runtimeClassName *string) (string, error)
+}
+
 // namespacesForPod returns the runtimeapi.NamespaceOption for a given pod.
 // An empty or nil pod can be used to get the namespace defaults for v1.Pod.
-func NamespacesForPod(pod *v1.Pod, runtimeHelper kubecontainer.RuntimeHelper) (*runtimeapi.NamespaceOption, error) {
+func NamespacesForPod(pod *v1.Pod, runtimeHelper kubecontainer.RuntimeHelper, rcManager RuntimeHandlerResolver) (*runtimeapi.NamespaceOption, error) {
 	runtimeHandler := ""
-	if pod != nil && pod.Spec.RuntimeClassName != nil {
-		runtimeHandler = *pod.Spec.RuntimeClassName
+	if pod != nil && rcManager != nil {
+		var err error
+		runtimeHandler, err = rcManager.LookupRuntimeHandler(pod.Spec.RuntimeClassName)
+		if err != nil {
+			return nil, err
+		}
 	}
 	userNs, err := runtimeHelper.GetOrCreateUserNamespaceMappings(pod, runtimeHandler)
 	if err != nil {
--- a/pkg/kubelet/kuberuntime/util/util_test.go
+++ b/pkg/kubelet/kuberuntime/util/util_test.go
@ -223,7 +223,7 @@ func TestNamespacesForPod(t *testing.T) {
 		},
 	} {
 		t.Run(desc, func(t *testing.T) {
-			actual, err := NamespacesForPod(test.input, &kubecontainertest.FakeRuntimeHelper{})
+			actual, err := NamespacesForPod(test.input, &kubecontainertest.FakeRuntimeHelper{}, nil)
 			require.NoError(t, err)
 			require.Equal(t, test.expected, actual)
 		})