github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 17:30:00 +00:00
Code Issues Projects Releases Wiki Activity

kuberuntime: set sysctls for sandbox config

Browse Source
This commit is contained in:
Pengfei Ni 2017-05-12 15:41:15 +08:00
parent a7c9638e56
commit 8bc6e59278
4 changed files with 75 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/kubelet/kuberuntime/BUILD
View File

@ -29,6 +29,7 @@ go_library(
deps = [ deps = [
"//pkg/api:go_default_library", "//pkg/api:go_default_library",
"//pkg/api/v1:go_default_library", "//pkg/api/v1:go_default_library",
"//pkg/api/v1/helper:go_default_library",
"//pkg/api/v1/ref:go_default_library", "//pkg/api/v1/ref:go_default_library",
"//pkg/credentialprovider:go_default_library", "//pkg/credentialprovider:go_default_library",
"//pkg/kubelet/apis/cri:go_default_library", "//pkg/kubelet/apis/cri:go_default_library",

19
pkg/kubelet/kuberuntime/helpers.go
View File

@ -24,6 +24,7 @@ import (
"github.com/golang/glog" "github.com/golang/glog"
"k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/api/v1" "k8s.io/kubernetes/pkg/api/v1"
v1helper "k8s.io/kubernetes/pkg/api/v1/helper"
runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1" runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1"
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
) )
@ -236,3 +237,21 @@ func toKubeRuntimeStatus(status *runtimeapi.RuntimeStatus) *kubecontainer.Runtim
} }
return &kubecontainer.RuntimeStatus{Conditions: conditions} return &kubecontainer.RuntimeStatus{Conditions: conditions}
} }
// getSysctlsFromAnnotations gets sysctls and unsafeSysctls from annotations.
func getSysctlsFromAnnotations(annotations map[string]string) (map[string]string, error) {
apiSysctls, apiUnsafeSysctls, err := v1helper.SysctlsFromPodAnnotations(annotations)
if err != nil {
return nil, err
}
sysctls := make(map[string]string)
for _, c := range apiSysctls {
sysctls[c.Name] = c.Value
}
for _, c := range apiUnsafeSysctls {
sysctls[c.Name] = c.Value
}
return sysctls, nil
}

40
pkg/kubelet/kuberuntime/helpers_test.go
View File

@ -46,3 +46,43 @@ func TestStableKey(t *testing.T) {
newKey := getStableKey(pod, container) newKey := getStableKey(pod, container)
assert.NotEqual(t, oldKey, newKey) assert.NotEqual(t, oldKey, newKey)
} }
// TestGetSystclsFromAnnotations tests the logic of getting sysctls from annotations.
func TestGetSystclsFromAnnotations(t *testing.T) {
tests := []struct {
annotations map[string]string
expectedSysctls map[string]string
}{{
annotations: map[string]string{
v1.SysctlsPodAnnotationKey: "kernel.shmmni=32768,kernel.shmmax=1000000000",
v1.UnsafeSysctlsPodAnnotationKey: "knet.ipv4.route.min_pmtu=1000",
},
expectedSysctls: map[string]string{
"kernel.shmmni": "32768",
"kernel.shmmax": "1000000000",
"knet.ipv4.route.min_pmtu": "1000",
},
}, {
annotations: map[string]string{
v1.SysctlsPodAnnotationKey: "kernel.shmmni=32768,kernel.shmmax=1000000000",
},
expectedSysctls: map[string]string{
"kernel.shmmni": "32768",
"kernel.shmmax": "1000000000",
},
}, {
annotations: map[string]string{
v1.UnsafeSysctlsPodAnnotationKey: "knet.ipv4.route.min_pmtu=1000",
},
expectedSysctls: map[string]string{
"knet.ipv4.route.min_pmtu": "1000",
},
}}
for i, test := range tests {
actualSysctls, err := getSysctlsFromAnnotations(test.annotations)
assert.NoError(t, err, "TestCase[%d]", i)
assert.Len(t, actualSysctls, len(test.expectedSysctls), "TestCase[%d]", i)
assert.Equal(t, test.expectedSysctls, actualSysctls, "TestCase[%d]", i)
}
}

20
pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
View File

@ -116,18 +116,22 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxConfig(pod *v1.Pod, attemp
} }
} }
cgroupParent := m.runtimeHelper.GetPodCgroupParent(pod)
podSandboxConfig.Linux = m.generatePodSandboxLinuxConfig(pod, cgroupParent)
if len(portMappings) > 0 { if len(portMappings) > 0 {
podSandboxConfig.PortMappings = portMappings podSandboxConfig.PortMappings = portMappings
} }
lc, err := m.generatePodSandboxLinuxConfig(pod)
if err != nil {
return nil, err
}
podSandboxConfig.Linux = lc
return podSandboxConfig, nil return podSandboxConfig, nil
} }
// generatePodSandboxLinuxConfig generates LinuxPodSandboxConfig from v1.Pod. // generatePodSandboxLinuxConfig generates LinuxPodSandboxConfig from v1.Pod.
func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod, cgroupParent string) *runtimeapi.LinuxPodSandboxConfig { func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (*runtimeapi.LinuxPodSandboxConfig, error) {
cgroupParent := m.runtimeHelper.GetPodCgroupParent(pod)
lc := &runtimeapi.LinuxPodSandboxConfig{ lc := &runtimeapi.LinuxPodSandboxConfig{
CgroupParent: cgroupParent, CgroupParent: cgroupParent,
SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{ SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{
@ -135,6 +139,12 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod, c
}, },
} }
sysctls, err := getSysctlsFromAnnotations(pod.Annotations)
if err != nil {
return nil, fmt.Errorf("failed to get sysctls from annotations %v for pod %q: %v", pod.Annotations, format.Pod(pod), err)
}
lc.Sysctls = sysctls
if pod.Spec.SecurityContext != nil { if pod.Spec.SecurityContext != nil {
sc := pod.Spec.SecurityContext sc := pod.Spec.SecurityContext
if sc.RunAsUser != nil { if sc.RunAsUser != nil {
@ -167,7 +177,7 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod, c
} }
} }
return lc return lc, nil
} }
// getKubeletSandboxes lists all (or just the running) sandboxes managed by kubelet. // getKubeletSandboxes lists all (or just the running) sandboxes managed by kubelet.