From a666451e8a39f96d76b484548129e45573a036c1 Mon Sep 17 00:00:00 2001 From: Mark Rossett Date: Fri, 31 Jan 2025 13:39:16 -0800 Subject: [PATCH 1/2] withdraw Windows HostNetwork support --- pkg/features/versioned_kube_features.go | 3 +- .../kuberuntime/kuberuntime_sandbox.go | 11 --- .../kuberuntime/kuberuntime_sandbox_test.go | 79 ------------------- .../reference/versioned_feature_list.yaml | 6 +- 4 files changed, 7 insertions(+), 92 deletions(-) diff --git a/pkg/features/versioned_kube_features.go b/pkg/features/versioned_kube_features.go index e1a4c8daf40..dbfe7891451 100644 --- a/pkg/features/versioned_kube_features.go +++ b/pkg/features/versioned_kube_features.go @@ -856,7 +856,8 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate }, WindowsHostNetwork: { - {Version: version.MustParse("1.26"), Default: true, PreRelease: featuregate.Alpha}, + {Version: version.MustParse("1.26"), Default: false, PreRelease: featuregate.Alpha}, + {Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Deprecated}, }, zpagesfeatures.ComponentFlagz: { diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go index 27e4ccee691..baf04fd4d5e 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go @@ -25,11 +25,9 @@ import ( v1 "k8s.io/api/core/v1" kubetypes "k8s.io/apimachinery/pkg/types" - utilfeature "k8s.io/apiserver/pkg/util/feature" runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" "k8s.io/klog/v2" "k8s.io/kubelet/pkg/types" - "k8s.io/kubernetes/pkg/features" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" runtimeutil "k8s.io/kubernetes/pkg/kubelet/kuberuntime/util" "k8s.io/kubernetes/pkg/kubelet/util" @@ -239,15 +237,6 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxWindowsConfig(pod *v1.Pod) SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{}, } - if utilfeature.DefaultFeatureGate.Enabled(features.WindowsHostNetwork) { - wc.SecurityContext.NamespaceOptions = &runtimeapi.WindowsNamespaceOption{} - if kubecontainer.IsHostNetworkPod(pod) { - wc.SecurityContext.NamespaceOptions.Network = runtimeapi.NamespaceMode_NODE - } else { - wc.SecurityContext.NamespaceOptions.Network = runtimeapi.NamespaceMode_POD - } - } - // If all of the containers in a pod are HostProcess containers, set the pod's HostProcess field // explicitly because the container runtime requires this information at sandbox creation time. if kubecontainer.HasWindowsHostProcessContainer(pod) { diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go index a953bac63fe..0ec3381be51 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go @@ -392,82 +392,3 @@ func TestGeneratePodSandboxWindowsConfig_HostProcess(t *testing.T) { }) } } - -func TestGeneratePodSandboxWindowsConfig_HostNetwork(t *testing.T) { - _, _, m, err := createTestRuntimeManager() - require.NoError(t, err) - - const containerName = "container" - - testCases := []struct { - name string - hostNetworkFeatureEnabled bool - podSpec *v1.PodSpec - expectedWindowsConfig *runtimeapi.WindowsPodSandboxConfig - }{ - { - name: "feature disabled, hostNetwork=false", - hostNetworkFeatureEnabled: false, - podSpec: &v1.PodSpec{ - HostNetwork: false, - Containers: []v1.Container{{Name: containerName}}, - }, - expectedWindowsConfig: &runtimeapi.WindowsPodSandboxConfig{ - SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{}, - }, - }, - { - name: "feature disabled, hostNetwork=true", - hostNetworkFeatureEnabled: false, - podSpec: &v1.PodSpec{ - HostNetwork: true, - Containers: []v1.Container{{Name: containerName}}, - }, - expectedWindowsConfig: &runtimeapi.WindowsPodSandboxConfig{ - SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{}, - }}, - { - name: "feature enabled, hostNetwork=false", - hostNetworkFeatureEnabled: true, - podSpec: &v1.PodSpec{ - HostNetwork: false, - Containers: []v1.Container{{Name: containerName}}, - }, - expectedWindowsConfig: &runtimeapi.WindowsPodSandboxConfig{ - SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{ - NamespaceOptions: &runtimeapi.WindowsNamespaceOption{ - Network: runtimeapi.NamespaceMode_POD, - }, - }, - }, - }, - { - name: "feature enabled, hostNetwork=true", - hostNetworkFeatureEnabled: true, - podSpec: &v1.PodSpec{ - HostNetwork: true, - Containers: []v1.Container{{Name: containerName}}, - }, - expectedWindowsConfig: &runtimeapi.WindowsPodSandboxConfig{ - SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{ - NamespaceOptions: &runtimeapi.WindowsNamespaceOption{ - Network: runtimeapi.NamespaceMode_NODE, - }, - }, - }, - }, - } - - for _, testCase := range testCases { - t.Run(testCase.name, func(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostNetwork, testCase.hostNetworkFeatureEnabled) - pod := &v1.Pod{} - pod.Spec = *testCase.podSpec - - wc, err := m.generatePodSandboxWindowsConfig(pod) - - assert.Equal(t, testCase.expectedWindowsConfig, wc) - assert.NoError(t, err) - }) - } -} diff --git a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml index 2ea25045ea6..a8fb364e5d3 100644 --- a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml +++ b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml @@ -1623,10 +1623,14 @@ version: "1.32" - name: WindowsHostNetwork versionedSpecs: - - default: true + - default: false lockToDefault: false preRelease: Alpha version: "1.26" + - default: false + lockToDefault: false + preRelease: Deprecated + version: "1.33" - name: WinDSR versionedSpecs: - default: false From 9837a61528f8d4de4cb1556f39bfa22d2e9e3924 Mon Sep 17 00:00:00 2001 From: Mark Rossett Date: Fri, 31 Jan 2025 13:51:46 -0800 Subject: [PATCH 2/2] update cri-api comments for Windows HostProcess withdrawal --- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.pb.go | 2 +- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.pb.go b/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.pb.go index c0284cca5b9..8d261618697 100644 --- a/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.pb.go +++ b/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.pb.go @@ -4398,7 +4398,7 @@ func (m *LinuxContainerUser) GetSupplementalGroups() []int64 { // WindowsNamespaceOption provides options for Windows namespaces. type WindowsNamespaceOption struct { // Network namespace for this container/sandbox. - // Namespaces currently set by the kubelet: POD, NODE + // This is currently never set by the kubelet Network NamespaceMode `protobuf:"varint,1,opt,name=network,proto3,enum=runtime.v1.NamespaceMode" json:"network,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_sizecache int32 `json:"-"` diff --git a/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto b/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto index fec760e6a63..2f171610579 100644 --- a/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto +++ b/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto @@ -1011,7 +1011,7 @@ message LinuxContainerUser { // WindowsNamespaceOption provides options for Windows namespaces. message WindowsNamespaceOption { // Network namespace for this container/sandbox. - // Namespaces currently set by the kubelet: POD, NODE + // This is currently never set by the kubelet NamespaceMode network = 1; }