From 8963e73f1209085d4afca4c9c3821a8d506764df Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Wed, 13 Mar 2024 15:54:46 +0900 Subject: [PATCH] kubelet: fix mixing up runtime classes with runtime handlers Fix issue 123906 Signed-off-by: Akihiro Suda --- pkg/kubelet/kubelet_pods.go | 20 +++++++++++-------- .../kuberuntime/kuberuntime_sandbox.go | 2 +- pkg/kubelet/kuberuntime/security_context.go | 2 +- pkg/kubelet/kuberuntime/util/util.go | 15 +++++++++++--- pkg/kubelet/kuberuntime/util/util_test.go | 2 +- 5 files changed, 27 insertions(+), 14 deletions(-) diff --git a/pkg/kubelet/kubelet_pods.go b/pkg/kubelet/kubelet_pods.go index 8f520a8fd3f..8ad7be79393 100644 --- a/pkg/kubelet/kubelet_pods.go +++ b/pkg/kubelet/kubelet_pods.go @@ -2445,28 +2445,32 @@ func (kl *Kubelet) cleanupOrphanedPodCgroups(pcm cm.PodContainerManager, cgroupP } func (kl *Kubelet) runtimeClassSupportsRecursiveReadOnlyMounts(pod *v1.Pod) bool { - var runtimeClassName string - if pod.Spec.RuntimeClassName != nil { - runtimeClassName = *pod.Spec.RuntimeClassName + if kl.runtimeClassManager == nil { + return false + } + runtimeHandlerName, err := kl.runtimeClassManager.LookupRuntimeHandler(pod.Spec.RuntimeClassName) + if err != nil { + klog.ErrorS(err, "failed to look up the runtime handler", "runtimeClassName", pod.Spec.RuntimeClassName) + return false } runtimeHandlers := kl.runtimeState.runtimeHandlers() - return runtimeClassSupportsRecursiveReadOnlyMounts(runtimeClassName, runtimeHandlers) + return runtimeHandlerSupportsRecursiveReadOnlyMounts(runtimeHandlerName, runtimeHandlers) } -// runtimeClassSupportsRecursiveReadOnlyMounts checks whether the runtime class supports recursive read-only mounts. +// runtimeHandlerSupportsRecursiveReadOnlyMounts checks whether the runtime handler supports recursive read-only mounts. // The kubelet feature gate is not checked here. -func runtimeClassSupportsRecursiveReadOnlyMounts(runtimeClassName string, runtimeHandlers []kubecontainer.RuntimeHandler) bool { +func runtimeHandlerSupportsRecursiveReadOnlyMounts(runtimeHandlerName string, runtimeHandlers []kubecontainer.RuntimeHandler) bool { if len(runtimeHandlers) == 0 { // The runtime does not support returning the handler list. // No need to print a warning here. return false } for _, h := range runtimeHandlers { - if h.Name == runtimeClassName { + if h.Name == runtimeHandlerName { return h.SupportsRecursiveReadOnlyMounts } } - klog.ErrorS(nil, "unknown runtime class", "runtimeClassName", runtimeClassName) + klog.ErrorS(nil, "Unknown runtime handler", "runtimeHandlerName", runtimeHandlerName) return false } diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go index c55f076ec43..abf5e5cb8b5 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go @@ -193,7 +193,7 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) ( if sc.RunAsGroup != nil && runtime.GOOS != "windows" { lc.SecurityContext.RunAsGroup = &runtimeapi.Int64Value{Value: int64(*sc.RunAsGroup)} } - namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper) + namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper, m.runtimeClassManager) if err != nil { return nil, err } diff --git a/pkg/kubelet/kuberuntime/security_context.go b/pkg/kubelet/kuberuntime/security_context.go index 37f079bdd79..96879b812fe 100644 --- a/pkg/kubelet/kuberuntime/security_context.go +++ b/pkg/kubelet/kuberuntime/security_context.go @@ -55,7 +55,7 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po } // set namespace options and supplemental groups. - namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper) + namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper, m.runtimeClassManager) if err != nil { return nil, err } diff --git a/pkg/kubelet/kuberuntime/util/util.go b/pkg/kubelet/kuberuntime/util/util.go index c01f82e83c8..e980fd1ba20 100644 --- a/pkg/kubelet/kuberuntime/util/util.go +++ b/pkg/kubelet/kuberuntime/util/util.go @@ -97,12 +97,21 @@ func PidNamespaceForPod(pod *v1.Pod) runtimeapi.NamespaceMode { return runtimeapi.NamespaceMode_CONTAINER } +// LookupRuntimeHandler is implemented by *runtimeclass.Manager. +type RuntimeHandlerResolver interface { + LookupRuntimeHandler(runtimeClassName *string) (string, error) +} + // namespacesForPod returns the runtimeapi.NamespaceOption for a given pod. // An empty or nil pod can be used to get the namespace defaults for v1.Pod. -func NamespacesForPod(pod *v1.Pod, runtimeHelper kubecontainer.RuntimeHelper) (*runtimeapi.NamespaceOption, error) { +func NamespacesForPod(pod *v1.Pod, runtimeHelper kubecontainer.RuntimeHelper, rcManager RuntimeHandlerResolver) (*runtimeapi.NamespaceOption, error) { runtimeHandler := "" - if pod != nil && pod.Spec.RuntimeClassName != nil { - runtimeHandler = *pod.Spec.RuntimeClassName + if pod != nil && rcManager != nil { + var err error + runtimeHandler, err = rcManager.LookupRuntimeHandler(pod.Spec.RuntimeClassName) + if err != nil { + return nil, err + } } userNs, err := runtimeHelper.GetOrCreateUserNamespaceMappings(pod, runtimeHandler) if err != nil { diff --git a/pkg/kubelet/kuberuntime/util/util_test.go b/pkg/kubelet/kuberuntime/util/util_test.go index 7a96e23fa2e..eeaca1fcc56 100644 --- a/pkg/kubelet/kuberuntime/util/util_test.go +++ b/pkg/kubelet/kuberuntime/util/util_test.go @@ -223,7 +223,7 @@ func TestNamespacesForPod(t *testing.T) { }, } { t.Run(desc, func(t *testing.T) { - actual, err := NamespacesForPod(test.input, &kubecontainertest.FakeRuntimeHelper{}) + actual, err := NamespacesForPod(test.input, &kubecontainertest.FakeRuntimeHelper{}, nil) require.NoError(t, err) require.Equal(t, test.expected, actual) })