Merge pull request #64009 from feiskyer/windows-security-context

Automatic merge from submit-queue (batch tested with PRs 64009, 64780, 64354, 64727, 63650). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Kubelet: Add security context for Windows containers **What this PR does / why we need it**: This PR adds windows containers to Kubelet CRI and also implements security context setting for docker containers. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: RunAsUser from Kubernetes API only accept int64 today, which is not supported on Windows. It should be changed to intstr for working with both Windows and Linux containers in a separate PR. **Release note**: ```release-note Kubelet: Add security context for Windows containers ``` /cc @PatrickLang @taylorb-microsoft @michmike @JiangtianLi @yujuhong @dchen1107
2025-08-01 07:47:56 +00:00 · 2018-06-05 22:24:38 -07:00 · 2018-06-05 22:24:38 -07:00 · 999b2da440
commit 999b2da440
parent ad9722c453 7ba26ba25c
4 changed files with 717 additions and 470 deletions
--- a/pkg/kubelet/apis/cri/runtime/v1alpha2/api.pb.go
+++ b/pkg/kubelet/apis/cri/runtime/v1alpha2/api.pb.go
--- a/pkg/kubelet/apis/cri/runtime/v1alpha2/api.proto
+++ b/pkg/kubelet/apis/cri/runtime/v1alpha2/api.proto
@ -597,11 +597,21 @@ message LinuxContainerConfig {
    LinuxContainerSecurityContext security_context = 2;
 }
 // WindowsContainerSecurityContext holds windows security configuration that will be applied to a container.
 message WindowsContainerSecurityContext {
    // User name to run the container process as. If specified, the user MUST
    // exist in the container image and be resolved there by the runtime;
    // otherwise, the runtime MUST return error.
    string run_as_username = 1;
 }
 // WindowsContainerConfig contains platform-specific configuration for
 // Windows-based containers.
 message WindowsContainerConfig {
    // Resources specification for the container.
    WindowsContainerResources resources = 1;
    // WindowsContainerSecurityContext configuration for the container.
    WindowsContainerSecurityContext security_context = 2;
 }
 // WindowsContainerResources specifies Windows specific configuration for
--- a/pkg/kubelet/dockershim/helpers_windows.go
+++ b/pkg/kubelet/dockershim/helpers_windows.go
@ -76,6 +76,9 @@ func (ds *dockerService) updateCreateConfig(
 				CPUPercent: rOpts.CpuMaximum,
 			}
 		}
 		// Apply security context.
 		applyWindowsContainerSecurityContext(wc.GetSecurityContext(), createConfig.Config, createConfig.HostConfig)
 	}
 	applyExperimentalCreateConfig(createConfig, sandboxConfig.Annotations)
@ -83,6 +86,17 @@ func (ds *dockerService) updateCreateConfig(
 	return nil
 }
 // applyWindowsContainerSecurityContext updates docker container options according to security context.
 func applyWindowsContainerSecurityContext(wsc *runtimeapi.WindowsContainerSecurityContext, config *dockercontainer.Config, hc *dockercontainer.HostConfig) {
 	if wsc == nil {
 		return
 	}
 	if wsc.GetRunAsUsername() != "" {
 		config.User = wsc.GetRunAsUsername()
 	}
 }
 func (ds *dockerService) determinePodIPBySandboxID(sandboxID string, sandbox *dockertypes.ContainerJSON) string {
 	// Versions and feature support
 	// ============================
--- a/pkg/kubelet/kuberuntime/kuberuntime_container_windows.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_container_windows.go
@ -19,24 +19,32 @@ limitations under the License.
 package kuberuntime
 import (
 	"fmt"
 	"github.com/docker/docker/pkg/sysinfo"
 	"k8s.io/api/core/v1"
 	kubeletapis "k8s.io/kubernetes/pkg/kubelet/apis"
 	runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2"
 	"k8s.io/kubernetes/pkg/securitycontext"
 )
 // applyPlatformSpecificContainerConfig applies platform specific configurations to runtimeapi.ContainerConfig.
 func (m *kubeGenericRuntimeManager) applyPlatformSpecificContainerConfig(config *runtimeapi.ContainerConfig, container *v1.Container, pod *v1.Pod, uid *int64, username string) error {
-	config.Windows = m.generateWindowsContainerConfig(container, pod, uid, username)
+	windowsConfig, err := m.generateWindowsContainerConfig(container, pod, uid, username)
 	if err != nil {
 		return err
 	}
 	config.Windows = windowsConfig
 	return nil
 }
 // generateWindowsContainerConfig generates windows container config for kubelet runtime v1.
 // Refer https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/cri-windows.md.
-func (m *kubeGenericRuntimeManager) generateWindowsContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string) *runtimeapi.WindowsContainerConfig {
+func (m *kubeGenericRuntimeManager) generateWindowsContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string) (*runtimeapi.WindowsContainerConfig, error) {
 	wc := &runtimeapi.WindowsContainerConfig{
-		Resources: &runtimeapi.WindowsContainerResources{},
+		Resources:       &runtimeapi.WindowsContainerResources{},
 		SecurityContext: &runtimeapi.WindowsContainerSecurityContext{},
 	}
 	cpuRequest := container.Resources.Requests.Cpu()
@ -77,5 +85,15 @@ func (m *kubeGenericRuntimeManager) generateWindowsContainerConfig(container *v1
 		wc.Resources.MemoryLimitInBytes = memoryLimit
 	}
-	return wc
+	// setup security context
 	effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container)
 	// RunAsUser only supports int64 from Kubernetes API, but Windows containers only support username.
 	if effectiveSc.RunAsUser != nil {
 		return nil, fmt.Errorf("run as uid (%d) is not supported on Windows", *effectiveSc.RunAsUser)
 	}
 	if username != "" {
 		wc.SecurityContext.RunAsUsername = username
 	}
 	return wc, nil
 }