From 498d065cc5f2efd6a2cd75bb398c06f7764e7a83 Mon Sep 17 00:00:00 2001 From: Mark Rossetti Date: Mon, 17 Oct 2022 14:25:40 -0700 Subject: [PATCH] Promoting WindowsHostProcessContainers to stable Signed-off-by: Mark Rossetti --- pkg/api/pod/util.go | 28 ------ pkg/apis/core/validation/validation.go | 26 +----- pkg/apis/core/validation/validation_test.go | 89 +------------------ pkg/features/kube_features.go | 3 +- pkg/kubelet/kubelet_pods.go | 2 +- .../kuberuntime_container_windows.go | 6 -- .../kuberuntime_container_windows_test.go | 8 -- .../kuberuntime/kuberuntime_sandbox.go | 9 -- .../kuberuntime/kuberuntime_sandbox_test.go | 53 +++-------- pkg/kubelet/metrics/metrics.go | 6 +- test/integration/auth/podsecurity_test.go | 2 - 11 files changed, 21 insertions(+), 211 deletions(-) diff --git a/pkg/api/pod/util.go b/pkg/api/pod/util.go index 9dcb21d6dc4..8f1a63bb719 100644 --- a/pkg/api/pod/util.go +++ b/pkg/api/pod/util.go @@ -411,7 +411,6 @@ func GetValidationOptionsFromPodSpecAndMeta(podSpec, oldPodSpec *api.PodSpec, po AllowInvalidPodDeletionCost: !utilfeature.DefaultFeatureGate.Enabled(features.PodDeletionCost), // Do not allow pod spec to use non-integer multiple of huge page unit size default AllowIndivisibleHugePagesValues: false, - AllowWindowsHostProcessField: utilfeature.DefaultFeatureGate.Enabled(features.WindowsHostProcessContainers), // Allow pod spec with expanded DNS configuration AllowExpandedDNSConfig: utilfeature.DefaultFeatureGate.Enabled(features.ExpandedDNSConfig) || haveSameExpandedDNSConfig(podSpec, oldPodSpec), } @@ -426,8 +425,6 @@ func GetValidationOptionsFromPodSpecAndMeta(podSpec, oldPodSpec *api.PodSpec, po return !opts.AllowDownwardAPIHugePages }) } - // if old spec has Windows Host Process fields set, we must allow it - opts.AllowWindowsHostProcessField = opts.AllowWindowsHostProcessField || setsWindowsHostProcess(oldPodSpec) // if old spec used non-integer multiple of huge page unit size, we must allow it opts.AllowIndivisibleHugePagesValues = usesIndivisibleHugePagesValues(oldPodSpec) @@ -746,28 +743,3 @@ func SeccompAnnotationForField(field *api.SeccompProfile) string { // type is specified return "" } - -// setsWindowsHostProcess returns true if WindowsOptions.HostProcess is set (true or false) -// anywhere in the pod spec. -func setsWindowsHostProcess(podSpec *api.PodSpec) bool { - if podSpec == nil { - return false - } - - // Check Pod's WindowsOptions.HostProcess - if podSpec.SecurityContext != nil && podSpec.SecurityContext.WindowsOptions != nil && podSpec.SecurityContext.WindowsOptions.HostProcess != nil { - return true - } - - // Check WindowsOptions.HostProcess for each container - inUse := false - VisitContainers(podSpec, AllContainers, func(c *api.Container, containerType ContainerType) bool { - if c.SecurityContext != nil && c.SecurityContext.WindowsOptions != nil && c.SecurityContext.WindowsOptions.HostProcess != nil { - inUse = true - return false - } - return true - }) - - return inUse -} diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go index 325e7d94905..53ae4988a8c 100644 --- a/pkg/apis/core/validation/validation.go +++ b/pkg/apis/core/validation/validation.go @@ -3507,8 +3507,6 @@ type PodValidationOptions struct { AllowInvalidPodDeletionCost bool // Allow pod spec to use non-integer multiple of huge page unit size AllowIndivisibleHugePagesValues bool - // Allow hostProcess field to be set in windows security context - AllowWindowsHostProcessField bool // Allow more DNSSearchPaths and longer DNSSearchListChars AllowExpandedDNSConfig bool } @@ -3614,7 +3612,7 @@ func ValidatePodSpec(spec *core.PodSpec, podMeta *metav1.ObjectMeta, fldPath *fi allErrs = append(allErrs, validatePodDNSConfig(spec.DNSConfig, &spec.DNSPolicy, fldPath.Child("dnsConfig"), opts)...) allErrs = append(allErrs, validateReadinessGates(spec.ReadinessGates, fldPath.Child("readinessGates"))...) allErrs = append(allErrs, validateTopologySpreadConstraints(spec.TopologySpreadConstraints, fldPath.Child("topologySpreadConstraints"))...) - allErrs = append(allErrs, validateWindowsHostProcessPod(spec, fldPath, opts)...) + allErrs = append(allErrs, validateWindowsHostProcessPod(spec, fldPath)...) allErrs = append(allErrs, validateHostUsers(spec, fldPath)...) if len(spec.ServiceAccountName) > 0 { for _, msg := range ValidateServiceAccountName(spec.ServiceAccountName, false) { @@ -6376,7 +6374,7 @@ func validateWindowsSecurityContextOptions(windowsOptions *core.WindowsSecurityC return allErrs } -func validateWindowsHostProcessPod(podSpec *core.PodSpec, fieldPath *field.Path, opts PodValidationOptions) field.ErrorList { +func validateWindowsHostProcessPod(podSpec *core.PodSpec, fieldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} // Keep track of container and hostProcess container count for validate @@ -6388,13 +6386,6 @@ func validateWindowsHostProcessPod(podSpec *core.PodSpec, fieldPath *field.Path, podHostProcess = podSpec.SecurityContext.WindowsOptions.HostProcess } - if !opts.AllowWindowsHostProcessField && podHostProcess != nil { - // Do not allow pods to persist data that sets hostProcess (true or false) - errMsg := "not allowed when feature gate 'WindowsHostProcessContainers' is not enabled" - allErrs = append(allErrs, field.Forbidden(fieldPath.Child("securityContext", "windowsOptions", "hostProcess"), errMsg)) - return allErrs - } - hostNetwork := false if podSpec.SecurityContext != nil { hostNetwork = podSpec.SecurityContext.HostNetwork @@ -6408,12 +6399,6 @@ func validateWindowsHostProcessPod(podSpec *core.PodSpec, fieldPath *field.Path, containerHostProcess = c.SecurityContext.WindowsOptions.HostProcess } - if !opts.AllowWindowsHostProcessField && containerHostProcess != nil { - // Do not allow pods to persist data that sets hostProcess (true or false) - errMsg := "not allowed when feature gate 'WindowsHostProcessContainers' is not enabled" - allErrs = append(allErrs, field.Forbidden(cFieldPath.Child("securityContext", "windowsOptions", "hostProcess"), errMsg)) - } - if podHostProcess != nil && containerHostProcess != nil && *podHostProcess != *containerHostProcess { errMsg := fmt.Sprintf("pod hostProcess value must be identical if both are specified, was %v", *podHostProcess) allErrs = append(allErrs, field.Invalid(cFieldPath.Child("securityContext", "windowsOptions", "hostProcess"), *containerHostProcess, errMsg)) @@ -6432,13 +6417,6 @@ func validateWindowsHostProcessPod(podSpec *core.PodSpec, fieldPath *field.Path, }) if hostProcessContainerCount > 0 { - // Fail Pod validation if feature is not enabled (unless podspec already exists and contains HostProcess fields) instead of dropping fields based on PRR reivew. - if !opts.AllowWindowsHostProcessField { - errMsg := "pod must not contain Windows hostProcess containers when feature gate 'WindowsHostProcessContainers' is not enabled" - allErrs = append(allErrs, field.Forbidden(fieldPath, errMsg)) - return allErrs - } - // At present, if a Windows Pods contains any HostProcess containers than all containers must be // HostProcess containers (explicitly set or inherited). if hostProcessContainerCount != containerCount { diff --git a/pkg/apis/core/validation/validation_test.go b/pkg/apis/core/validation/validation_test.go index ab166ae8b93..f2be3cbc805 100644 --- a/pkg/apis/core/validation/validation_test.go +++ b/pkg/apis/core/validation/validation_test.go @@ -12304,7 +12304,6 @@ func TestValidatePodEphemeralContainersUpdate(t *testing.T) { // Some tests use Windows host pods as an example of fields that might // conflict between an ephemeral container and the rest of the pod. - opts := PodValidationOptions{AllowWindowsHostProcessField: true} capabilities.SetForTests(capabilities.Capabilities{ AllowPrivileged: true, }) @@ -12628,7 +12627,7 @@ func TestValidatePodEphemeralContainersUpdate(t *testing.T) { } for _, tc := range tests { - errs := ValidatePodEphemeralContainersUpdate(tc.new, tc.old, opts) + errs := ValidatePodEphemeralContainersUpdate(tc.new, tc.old, PodValidationOptions{}) if tc.err == "" { if len(errs) != 0 { t.Errorf("unexpected invalid for test: %s\nErrors returned: %+v\nLocal diff of test objects (-old +new):\n%s", tc.name, errs, cmp.Diff(tc.old, tc.new)) @@ -20855,78 +20854,12 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { testCases := []struct { name string expectError bool - featureEnabled bool allowPrivileged bool podSpec *core.PodSpec }{ - { - name: "Spec with feature disabled and pod-wide HostProcess=false and should not validate", - expectError: true, - featureEnabled: false, - allowPrivileged: true, - podSpec: &core.PodSpec{ - SecurityContext: &core.PodSecurityContext{ - WindowsOptions: &core.WindowsSecurityContextOptions{ - HostProcess: &falseVar, - }, - }, - Containers: []core.Container{{ - Name: containerName, - }}, - }, - }, - { - name: "Spec with feature disabled and pod-wide HostProcess=nil set should valildate", - expectError: false, - featureEnabled: false, - allowPrivileged: true, - podSpec: &core.PodSpec{ - SecurityContext: &core.PodSecurityContext{ - WindowsOptions: &core.WindowsSecurityContextOptions{ - HostProcess: nil, - }, - }, - Containers: []core.Container{{ - Name: containerName, - }}, - }, - }, - { - name: "Spec with feature disabled and container setting HostProcess=true should not valildate", - expectError: true, - featureEnabled: false, - allowPrivileged: true, - podSpec: &core.PodSpec{ - Containers: []core.Container{{ - Name: containerName, - SecurityContext: &core.SecurityContext{ - WindowsOptions: &core.WindowsSecurityContextOptions{ - HostProcess: &trueVar, - }, - }, - }}, - }, - }, - { - name: "Spec with feature disabled and init container setting HostProcess=true should not valildate", - expectError: true, - featureEnabled: false, - allowPrivileged: true, - podSpec: &core.PodSpec{ - InitContainers: []core.Container{{ - Name: containerName, - SecurityContext: &core.SecurityContext{ - WindowsOptions: &core.WindowsSecurityContextOptions{ - HostProcess: &trueVar, - }, - }, - }}, - }, - }, { name: "Spec with feature enabled, pod-wide HostProcess=true, and HostNetwork unset should not validate", expectError: true, - featureEnabled: true, allowPrivileged: true, podSpec: &core.PodSpec{ SecurityContext: &core.PodSecurityContext{ @@ -20942,7 +20875,6 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { { name: "Spec with feature enabled, pod-wide HostProcess=ture, and HostNetwork set should validate", expectError: false, - featureEnabled: true, allowPrivileged: true, podSpec: &core.PodSpec{ SecurityContext: &core.PodSecurityContext{ @@ -20959,7 +20891,6 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { { name: "Spec with feature enabled, pod-wide HostProcess=ture, HostNetwork set, and containers setting HostProcess=true should validate", expectError: false, - featureEnabled: true, allowPrivileged: true, podSpec: &core.PodSpec{ SecurityContext: &core.PodSecurityContext{ @@ -20989,7 +20920,6 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { { name: "Spec with feature enabled, pod-wide HostProcess=nil, HostNetwork set, and all containers setting HostProcess=true should validate", expectError: false, - featureEnabled: true, allowPrivileged: true, podSpec: &core.PodSpec{ SecurityContext: &core.PodSecurityContext{ @@ -21016,7 +20946,6 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { { name: "Pods with feature enabled, some containers setting HostProcess=true, and others setting HostProcess=false should not validate", expectError: true, - featureEnabled: true, allowPrivileged: true, podSpec: &core.PodSpec{ SecurityContext: &core.PodSecurityContext{ @@ -21043,7 +20972,6 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { { name: "Spec with feature enabled, some containers setting HostProcess=true, and other leaving HostProcess unset should not validate", expectError: true, - featureEnabled: true, allowPrivileged: true, podSpec: &core.PodSpec{ SecurityContext: &core.PodSecurityContext{ @@ -21065,7 +20993,6 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { { name: "Spec with feature enabled, pod-wide HostProcess=true, some containers setting HostProcess=true, and init containers setting HostProcess=false should not validate", expectError: true, - featureEnabled: true, allowPrivileged: true, podSpec: &core.PodSpec{ SecurityContext: &core.PodSecurityContext{ @@ -21095,7 +21022,6 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { { name: "Spec with feature enabled, pod-wide HostProcess=true, some containers setting HostProcess=true, and others setting HostProcess=false should not validate", expectError: true, - featureEnabled: true, allowPrivileged: true, podSpec: &core.PodSpec{ SecurityContext: &core.PodSecurityContext{ @@ -21126,7 +21052,6 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { { name: "Spec with feature enabled, pod-wide HostProcess=true, some containers setting HostProcess=true, and others leaving HostProcess=nil should validate", expectError: false, - featureEnabled: true, allowPrivileged: true, podSpec: &core.PodSpec{ SecurityContext: &core.PodSecurityContext{ @@ -21151,7 +21076,6 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { { name: "Spec with feature enabled, pod-wide HostProcess=false, some contaienrs setting HostProccess=true should not validate", expectError: true, - featureEnabled: true, allowPrivileged: true, podSpec: &core.PodSpec{ SecurityContext: &core.PodSecurityContext{ @@ -21176,7 +21100,6 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { { name: "Pod's HostProcess set to true but all containers override to false should not validate", expectError: true, - featureEnabled: true, allowPrivileged: true, podSpec: &core.PodSpec{ SecurityContext: &core.PodSecurityContext{ @@ -21198,7 +21121,6 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { { name: "Valid HostProcess pod should spec should not validate if allowPrivileged is not set", expectError: true, - featureEnabled: true, allowPrivileged: false, podSpec: &core.PodSpec{ SecurityContext: &core.PodSecurityContext{ @@ -21217,7 +21139,6 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { { name: "Non-HostProcess ephemeral container in HostProcess pod should not validate", expectError: true, - featureEnabled: true, allowPrivileged: true, podSpec: &core.PodSpec{ SecurityContext: &core.PodSecurityContext{ @@ -21243,7 +21164,6 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { { name: "HostProcess ephemeral container in HostProcess pod should validate", expectError: false, - featureEnabled: true, allowPrivileged: true, podSpec: &core.PodSpec{ SecurityContext: &core.PodSecurityContext{ @@ -21263,7 +21183,6 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { { name: "Non-HostProcess ephemeral container in Non-HostProcess pod should validate", expectError: false, - featureEnabled: true, allowPrivileged: true, podSpec: &core.PodSpec{ Containers: []core.Container{{ @@ -21283,7 +21202,6 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { { name: "HostProcess ephemeral container in Non-HostProcess pod should not validate", expectError: true, - featureEnabled: true, allowPrivileged: true, podSpec: &core.PodSpec{ Containers: []core.Container{{ @@ -21304,15 +21222,12 @@ func TestValidateWindowsHostProcessPod(t *testing.T) { for _, testCase := range testCases { t.Run(testCase.name, func(t *testing.T) { - defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostProcessContainers, testCase.featureEnabled)() - - opts := PodValidationOptions{AllowWindowsHostProcessField: testCase.featureEnabled} capabilities.SetForTests(capabilities.Capabilities{ AllowPrivileged: testCase.allowPrivileged, }) - errs := validateWindowsHostProcessPod(testCase.podSpec, field.NewPath("spec"), opts) + errs := validateWindowsHostProcessPod(testCase.podSpec, field.NewPath("spec")) if testCase.expectError && len(errs) == 0 { t.Errorf("Unexpected success") } diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index b2e0323c6ea..a675ec55965 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -783,6 +783,7 @@ const ( // owner: @marosset // alpha: v1.22 // beta: v1.23 + // GA: v1.26 // // Enables support for 'HostProcess' containers on Windows nodes. WindowsHostProcessContainers featuregate.Feature = "WindowsHostProcessContainers" @@ -1021,7 +1022,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS WinOverlay: {Default: true, PreRelease: featuregate.Beta}, - WindowsHostProcessContainers: {Default: true, PreRelease: featuregate.Beta}, + WindowsHostProcessContainers: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.28 NodeInclusionPolicyInPodTopologySpread: {Default: false, PreRelease: featuregate.Alpha}, diff --git a/pkg/kubelet/kubelet_pods.go b/pkg/kubelet/kubelet_pods.go index 27861e13382..cc0b3c24a36 100644 --- a/pkg/kubelet/kubelet_pods.go +++ b/pkg/kubelet/kubelet_pods.go @@ -148,7 +148,7 @@ func (kl *Kubelet) makeBlockVolumes(pod *v1.Pod, container *v1.Container, podVol // - Windows pod contains a hostProcess container func shouldMountHostsFile(pod *v1.Pod, podIPs []string) bool { shouldMount := len(podIPs) > 0 - if runtime.GOOS == "windows" && utilfeature.DefaultFeatureGate.Enabled(features.WindowsHostProcessContainers) { + if runtime.GOOS == "windows" { return shouldMount && !kubecontainer.HasWindowsHostProcessContainer(pod) } return shouldMount diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container_windows.go b/pkg/kubelet/kuberuntime/kuberuntime_container_windows.go index c1e1d777ffd..66430cf163e 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_container_windows.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_container_windows.go @@ -20,14 +20,11 @@ limitations under the License. package kuberuntime import ( - "fmt" "runtime" v1 "k8s.io/api/core/v1" - utilfeature "k8s.io/apiserver/pkg/util/feature" runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" "k8s.io/klog/v2" - "k8s.io/kubernetes/pkg/features" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" "k8s.io/kubernetes/pkg/securitycontext" ) @@ -126,9 +123,6 @@ func (m *kubeGenericRuntimeManager) generateWindowsContainerConfig(container *v1 } if securitycontext.HasWindowsHostProcessRequest(pod, container) { - if !utilfeature.DefaultFeatureGate.Enabled(features.WindowsHostProcessContainers) { - return nil, fmt.Errorf("pod contains HostProcess containers but feature 'WindowsHostProcessContainers' is not enabled") - } wc.SecurityContext.HostProcess = true } diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container_windows_test.go b/pkg/kubelet/kuberuntime/kuberuntime_container_windows_test.go index 47f40d62693..5b8be205c13 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_container_windows_test.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_container_windows_test.go @@ -100,12 +100,4 @@ func TestApplyPlatformSpecificContainerConfig(t *testing.T) { }, } assert.Equal(t, expectedWindowsConfig, containerConfig.Windows) - - // Check if it fails if we require HostProcess but the feature is not enabled. - defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostProcessContainers, false)() - err = fakeRuntimeSvc.applyPlatformSpecificContainerConfig(containerConfig, &pod.Spec.Containers[0], pod, new(int64), "foo", nil) - expectedErrMsg := "pod contains HostProcess containers but feature 'WindowsHostProcessContainers' is not enabled" - if err == nil || err.Error() != expectedErrMsg { - t.Errorf("expected error message `%s` but got `%v`", expectedErrMsg, err) - } } diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go index c37270d26d9..ee209f53ef1 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go @@ -24,10 +24,8 @@ import ( v1 "k8s.io/api/core/v1" kubetypes "k8s.io/apimachinery/pkg/types" - utilfeature "k8s.io/apiserver/pkg/util/feature" runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" "k8s.io/klog/v2" - "k8s.io/kubernetes/pkg/features" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" runtimeutil "k8s.io/kubernetes/pkg/kubelet/kuberuntime/util" "k8s.io/kubernetes/pkg/kubelet/types" @@ -236,13 +234,6 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxWindowsConfig(pod *v1.Pod) // If all of the containers in a pod are HostProcess containers, set the pod's HostProcess field // explicitly because the container runtime requires this information at sandbox creation time. if kubecontainer.HasWindowsHostProcessContainer(pod) { - // Pods containing HostProcess containers should fail to schedule if feature is not - // enabled instead of trying to schedule containers as regular containers as stated in - // PRR review. - if !utilfeature.DefaultFeatureGate.Enabled(features.WindowsHostProcessContainers) { - return nil, fmt.Errorf("pod contains HostProcess containers but feature 'WindowsHostProcessContainers' is not enabled") - } - // At present Windows all containers in a Windows pod must be HostProcess containers // and HostNetwork is required to be set. if !kubecontainer.AllContainersAreWindowsHostProcess(pod) { diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go index 3d1738daf3e..cd90a72bdfb 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go @@ -26,10 +26,7 @@ import ( "github.com/stretchr/testify/require" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - utilfeature "k8s.io/apiserver/pkg/util/feature" - featuregatetesting "k8s.io/component-base/featuregate/testing" runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" - "k8s.io/kubernetes/pkg/features" containertest "k8s.io/kubernetes/pkg/kubelet/container/testing" "k8s.io/kubernetes/pkg/kubelet/runtimeclass" rctest "k8s.io/kubernetes/pkg/kubelet/runtimeclass/testing" @@ -182,15 +179,13 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) { falseVar := false testCases := []struct { - name string - hostProcessFeatureEnabled bool - podSpec *v1.PodSpec - expectedWindowsConfig *runtimeapi.WindowsPodSandboxConfig - expectedError error + name string + podSpec *v1.PodSpec + expectedWindowsConfig *runtimeapi.WindowsPodSandboxConfig + expectedError error }{ { - name: "Empty PodSecurityContext", - hostProcessFeatureEnabled: false, + name: "Empty PodSecurityContext", podSpec: &v1.PodSpec{ Containers: []v1.Container{{ Name: containerName, @@ -202,8 +197,7 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) { expectedError: nil, }, { - name: "GMSACredentialSpec in PodSecurityContext", - hostProcessFeatureEnabled: false, + name: "GMSACredentialSpec in PodSecurityContext", podSpec: &v1.PodSpec{ SecurityContext: &v1.PodSecurityContext{ WindowsOptions: &v1.WindowsSecurityContextOptions{ @@ -222,8 +216,7 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) { expectedError: nil, }, { - name: "RunAsUserName in PodSecurityContext", - hostProcessFeatureEnabled: false, + name: "RunAsUserName in PodSecurityContext", podSpec: &v1.PodSpec{ SecurityContext: &v1.PodSecurityContext{ WindowsOptions: &v1.WindowsSecurityContextOptions{ @@ -242,24 +235,7 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) { expectedError: nil, }, { - name: "Pod with HostProcess containers and feature gate disabled", - hostProcessFeatureEnabled: false, - podSpec: &v1.PodSpec{ - SecurityContext: &v1.PodSecurityContext{ - WindowsOptions: &v1.WindowsSecurityContextOptions{ - HostProcess: &trueVar, - }, - }, - Containers: []v1.Container{{ - Name: containerName, - }}, - }, - expectedWindowsConfig: nil, - expectedError: fmt.Errorf("pod contains HostProcess containers but feature 'WindowsHostProcessContainers' is not enabled"), - }, - { - name: "Pod with HostProcess containers and non-HostProcess containers", - hostProcessFeatureEnabled: true, + name: "Pod with HostProcess containers and non-HostProcess containers", podSpec: &v1.PodSpec{ SecurityContext: &v1.PodSecurityContext{ WindowsOptions: &v1.WindowsSecurityContextOptions{ @@ -281,8 +257,7 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) { expectedError: fmt.Errorf("pod must not contain both HostProcess and non-HostProcess containers"), }, { - name: "Pod with HostProcess containers and HostNetwork not set", - hostProcessFeatureEnabled: true, + name: "Pod with HostProcess containers and HostNetwork not set", podSpec: &v1.PodSpec{ SecurityContext: &v1.PodSecurityContext{ WindowsOptions: &v1.WindowsSecurityContextOptions{ @@ -297,8 +272,7 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) { expectedError: fmt.Errorf("hostNetwork is required if Pod contains HostProcess containers"), }, { - name: "Pod with HostProcess containers and HostNetwork set", - hostProcessFeatureEnabled: true, + name: "Pod with HostProcess containers and HostNetwork set", podSpec: &v1.PodSpec{ HostNetwork: true, SecurityContext: &v1.PodSecurityContext{ @@ -318,8 +292,7 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) { expectedError: nil, }, { - name: "Pod's WindowsOptions.HostProcess set to false and pod has HostProcess containers", - hostProcessFeatureEnabled: true, + name: "Pod's WindowsOptions.HostProcess set to false and pod has HostProcess containers", podSpec: &v1.PodSpec{ HostNetwork: true, SecurityContext: &v1.PodSecurityContext{ @@ -340,8 +313,7 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) { expectedError: fmt.Errorf("pod must not contain any HostProcess containers if Pod's WindowsOptions.HostProcess is set to false"), }, { - name: "Pod's security context doesn't specify HostProcess containers but Container's security context does", - hostProcessFeatureEnabled: true, + name: "Pod's security context doesn't specify HostProcess containers but Container's security context does", podSpec: &v1.PodSpec{ HostNetwork: true, Containers: []v1.Container{{ @@ -364,7 +336,6 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) { for _, testCase := range testCases { t.Run(testCase.name, func(t *testing.T) { - defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostProcessContainers, testCase.hostProcessFeatureEnabled)() pod := &v1.Pod{} pod.Spec = *testCase.podSpec diff --git a/pkg/kubelet/metrics/metrics.go b/pkg/kubelet/metrics/metrics.go index cc18e128585..5803cbc28ed 100644 --- a/pkg/kubelet/metrics/metrics.go +++ b/pkg/kubelet/metrics/metrics.go @@ -574,10 +574,8 @@ func Register(collectors ...metrics.StableCollector) { legacyregistry.MustRegister(StartedPodsErrorsTotal) legacyregistry.MustRegister(StartedContainersTotal) legacyregistry.MustRegister(StartedContainersErrorsTotal) - if utilfeature.DefaultFeatureGate.Enabled(features.WindowsHostProcessContainers) { - legacyregistry.MustRegister(StartedHostProcessContainersTotal) - legacyregistry.MustRegister(StartedHostProcessContainersErrorsTotal) - } + legacyregistry.MustRegister(StartedHostProcessContainersTotal) + legacyregistry.MustRegister(StartedHostProcessContainersErrorsTotal) legacyregistry.MustRegister(RunPodSandboxDuration) legacyregistry.MustRegister(RunPodSandboxErrors) diff --git a/test/integration/auth/podsecurity_test.go b/test/integration/auth/podsecurity_test.go index 8927f977fc6..3a9e1a3092a 100644 --- a/test/integration/auth/podsecurity_test.go +++ b/test/integration/auth/podsecurity_test.go @@ -53,7 +53,6 @@ import ( func TestPodSecurity(t *testing.T) { // Enable all feature gates needed to allow all fields to be exercised defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, true)() - defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostProcessContainers, true)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AppArmor, true)() // Start server server := startPodSecurityServer(t) @@ -96,7 +95,6 @@ func TestPodSecurityGAOnly(t *testing.T) { func TestPodSecurityWebhook(t *testing.T) { // Enable all feature gates needed to allow all fields to be exercised defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, true)() - defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostProcessContainers, true)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AppArmor, true)() // Start test API server.