github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-11 13:02:14 +00:00
Code Issues Projects Releases Wiki Activity

kubelet: fix mixing up runtime classes with runtime handlers

Browse Source 
Fix issue 123906

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda 2024-03-13 15:54:46 +09:00
parent 1dc05009fe
commit 8963e73f12
No known key found for this signature in database
GPG Key ID: 49524C6F9F638F1A
5 changed files with 27 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
pkg/kubelet/kubelet_pods.go
View File

@ -2445,28 +2445,32 @@ func (kl *Kubelet) cleanupOrphanedPodCgroups(pcm cm.PodContainerManager, cgroupP
} }
func (kl *Kubelet) runtimeClassSupportsRecursiveReadOnlyMounts(pod *v1.Pod) bool { func (kl *Kubelet) runtimeClassSupportsRecursiveReadOnlyMounts(pod *v1.Pod) bool {
var runtimeClassName string if kl.runtimeClassManager == nil {
if pod.Spec.RuntimeClassName != nil { return false
runtimeClassName = *pod.Spec.RuntimeClassName }
runtimeHandlerName, err := kl.runtimeClassManager.LookupRuntimeHandler(pod.Spec.RuntimeClassName)
if err != nil {
klog.ErrorS(err, "failed to look up the runtime handler", "runtimeClassName", pod.Spec.RuntimeClassName)
return false
} }
runtimeHandlers := kl.runtimeState.runtimeHandlers() runtimeHandlers := kl.runtimeState.runtimeHandlers()
return runtimeClassSupportsRecursiveReadOnlyMounts(runtimeClassName, runtimeHandlers) return runtimeHandlerSupportsRecursiveReadOnlyMounts(runtimeHandlerName, runtimeHandlers)
} }
// runtimeClassSupportsRecursiveReadOnlyMounts checks whether the runtime class supports recursive read-only mounts. // runtimeHandlerSupportsRecursiveReadOnlyMounts checks whether the runtime handler supports recursive read-only mounts.
// The kubelet feature gate is not checked here. // The kubelet feature gate is not checked here.
func runtimeClassSupportsRecursiveReadOnlyMounts(runtimeClassName string, runtimeHandlers []kubecontainer.RuntimeHandler) bool { func runtimeHandlerSupportsRecursiveReadOnlyMounts(runtimeHandlerName string, runtimeHandlers []kubecontainer.RuntimeHandler) bool {
if len(runtimeHandlers) == 0 { if len(runtimeHandlers) == 0 {
// The runtime does not support returning the handler list. // The runtime does not support returning the handler list.
// No need to print a warning here. // No need to print a warning here.
return false return false
} }
for _, h := range runtimeHandlers { for _, h := range runtimeHandlers {
if h.Name == runtimeClassName { if h.Name == runtimeHandlerName {
return h.SupportsRecursiveReadOnlyMounts return h.SupportsRecursiveReadOnlyMounts
} }
} }
klog.ErrorS(nil, "unknown runtime class", "runtimeClassName", runtimeClassName) klog.ErrorS(nil, "Unknown runtime handler", "runtimeHandlerName", runtimeHandlerName)
return false return false
} }

2
pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
View File

@ -193,7 +193,7 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
if sc.RunAsGroup != nil && runtime.GOOS != "windows" { if sc.RunAsGroup != nil && runtime.GOOS != "windows" {
lc.SecurityContext.RunAsGroup = &runtimeapi.Int64Value{Value: int64(*sc.RunAsGroup)} lc.SecurityContext.RunAsGroup = &runtimeapi.Int64Value{Value: int64(*sc.RunAsGroup)}
} }
namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper) namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper, m.runtimeClassManager)
if err != nil { if err != nil {
return nil, err return nil, err
} }

2
pkg/kubelet/kuberuntime/security_context.go
View File

@ -55,7 +55,7 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
} }
// set namespace options and supplemental groups. // set namespace options and supplemental groups.
namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper) namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper, m.runtimeClassManager)
if err != nil { if err != nil {
return nil, err return nil, err
} }

15
pkg/kubelet/kuberuntime/util/util.go
View File

@ -97,12 +97,21 @@ func PidNamespaceForPod(pod *v1.Pod) runtimeapi.NamespaceMode {
return runtimeapi.NamespaceMode_CONTAINER return runtimeapi.NamespaceMode_CONTAINER
} }
// LookupRuntimeHandler is implemented by *runtimeclass.Manager.
type RuntimeHandlerResolver interface {
LookupRuntimeHandler(runtimeClassName *string) (string, error)
}
// namespacesForPod returns the runtimeapi.NamespaceOption for a given pod. // namespacesForPod returns the runtimeapi.NamespaceOption for a given pod.
// An empty or nil pod can be used to get the namespace defaults for v1.Pod. // An empty or nil pod can be used to get the namespace defaults for v1.Pod.
func NamespacesForPod(pod *v1.Pod, runtimeHelper kubecontainer.RuntimeHelper) (*runtimeapi.NamespaceOption, error) { func NamespacesForPod(pod *v1.Pod, runtimeHelper kubecontainer.RuntimeHelper, rcManager RuntimeHandlerResolver) (*runtimeapi.NamespaceOption, error) {
runtimeHandler := "" runtimeHandler := ""
if pod != nil && pod.Spec.RuntimeClassName != nil { if pod != nil && rcManager != nil {
runtimeHandler = *pod.Spec.RuntimeClassName var err error
runtimeHandler, err = rcManager.LookupRuntimeHandler(pod.Spec.RuntimeClassName)
if err != nil {
return nil, err
}
} }
userNs, err := runtimeHelper.GetOrCreateUserNamespaceMappings(pod, runtimeHandler) userNs, err := runtimeHelper.GetOrCreateUserNamespaceMappings(pod, runtimeHandler)
if err != nil { if err != nil {

2
pkg/kubelet/kuberuntime/util/util_test.go
View File

@ -223,7 +223,7 @@ func TestNamespacesForPod(t *testing.T) {
}, },
} { } {
t.Run(desc, func(t *testing.T) { t.Run(desc, func(t *testing.T) {
actual, err := NamespacesForPod(test.input, &kubecontainertest.FakeRuntimeHelper{}) actual, err := NamespacesForPod(test.input, &kubecontainertest.FakeRuntimeHelper{}, nil)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, test.expected, actual) require.Equal(t, test.expected, actual)
}) })