From 156c80a613fa8821cc1d18904db5094c8ffc2ade Mon Sep 17 00:00:00 2001 From: Rodrigo Campos Date: Thu, 13 Mar 2025 19:32:31 +0100 Subject: [PATCH 1/4] pkg/kubelet: Fix userns tests on Windows Signed-off-by: Rodrigo Campos --- pkg/kubelet/kubelet_pods.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkg/kubelet/kubelet_pods.go b/pkg/kubelet/kubelet_pods.go index 7d24a90b0e7..5ce87a5ac04 100644 --- a/pkg/kubelet/kubelet_pods.go +++ b/pkg/kubelet/kubelet_pods.go @@ -143,6 +143,11 @@ func (kl *Kubelet) getKubeletMappings() (uint32, uint32, error) { } } + // Windows doesn't support user namespaces, let's return the default mappings. + if runtime.GOOS == "windows" { + return defaultFirstID, defaultLen, nil + } + _, err := user.Lookup(kubeletUser) if err != nil { var unknownUserErr user.UnknownUserError From 4c652757ade6ca7436b11aa927030f9c3200ca96 Mon Sep 17 00:00:00 2001 From: Rodrigo Campos Date: Thu, 13 Mar 2025 19:50:24 +0100 Subject: [PATCH 2/4] pkg/kubelet/userns: Provide stub implementation for windows Signed-off-by: Rodrigo Campos --- pkg/kubelet/userns/types.go | 29 +++++++++++ pkg/kubelet/userns/userns_manager.go | 11 ++-- .../userns/userns_manager_disabled_test.go | 3 ++ .../userns/userns_manager_switch_test.go | 3 ++ pkg/kubelet/userns/userns_manager_test.go | 3 ++ pkg/kubelet/userns/userns_manager_windows.go | 50 +++++++++++++++++++ 6 files changed, 91 insertions(+), 8 deletions(-) create mode 100644 pkg/kubelet/userns/types.go create mode 100644 pkg/kubelet/userns/userns_manager_windows.go diff --git a/pkg/kubelet/userns/types.go b/pkg/kubelet/userns/types.go new file mode 100644 index 00000000000..a0422d0042c --- /dev/null +++ b/pkg/kubelet/userns/types.go @@ -0,0 +1,29 @@ +/* +Copyright 2025 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package userns + +import "k8s.io/apimachinery/pkg/types" + +// Here go types that are common for all supported OS (windows, linux). + +type userNsPodsManager interface { + HandlerSupportsUserNamespaces(runtimeHandler string) (bool, error) + GetPodDir(podUID types.UID) string + ListPodsFromDisk() ([]types.UID, error) + GetKubeletMappings() (uint32, uint32, error) + GetMaxPods() int +} diff --git a/pkg/kubelet/userns/userns_manager.go b/pkg/kubelet/userns/userns_manager.go index 73167783297..fa528b3f8fb 100644 --- a/pkg/kubelet/userns/userns_manager.go +++ b/pkg/kubelet/userns/userns_manager.go @@ -1,3 +1,6 @@ +//go:build !windows +// +build !windows + /* Copyright 2022 The Kubernetes Authors. @@ -43,14 +46,6 @@ const userNsLength = (1 << 16) // since Go maps never free memory. const mapReInitializeThreshold = 1000 -type userNsPodsManager interface { - HandlerSupportsUserNamespaces(runtimeHandler string) (bool, error) - GetPodDir(podUID types.UID) string - ListPodsFromDisk() ([]types.UID, error) - GetKubeletMappings() (uint32, uint32, error) - GetMaxPods() int -} - type UsernsManager struct { used *allocator.AllocationBitmap usedBy map[types.UID]uint32 // Map pod.UID to range used diff --git a/pkg/kubelet/userns/userns_manager_disabled_test.go b/pkg/kubelet/userns/userns_manager_disabled_test.go index 5d97233e3d1..a4099d0a79d 100644 --- a/pkg/kubelet/userns/userns_manager_disabled_test.go +++ b/pkg/kubelet/userns/userns_manager_disabled_test.go @@ -1,3 +1,6 @@ +//go:build !windows +// +build !windows + /* Copyright 2022 The Kubernetes Authors. diff --git a/pkg/kubelet/userns/userns_manager_switch_test.go b/pkg/kubelet/userns/userns_manager_switch_test.go index 9ce59971fb4..233b5c7fab3 100644 --- a/pkg/kubelet/userns/userns_manager_switch_test.go +++ b/pkg/kubelet/userns/userns_manager_switch_test.go @@ -1,3 +1,6 @@ +//go:build !windows +// +build !windows + /* Copyright 2024 The Kubernetes Authors. diff --git a/pkg/kubelet/userns/userns_manager_test.go b/pkg/kubelet/userns/userns_manager_test.go index 6aa497b6c5a..1631b23af05 100644 --- a/pkg/kubelet/userns/userns_manager_test.go +++ b/pkg/kubelet/userns/userns_manager_test.go @@ -1,3 +1,6 @@ +//go:build !windows +// +build !windows + /* Copyright 2022 The Kubernetes Authors. diff --git a/pkg/kubelet/userns/userns_manager_windows.go b/pkg/kubelet/userns/userns_manager_windows.go new file mode 100644 index 00000000000..bc40b718798 --- /dev/null +++ b/pkg/kubelet/userns/userns_manager_windows.go @@ -0,0 +1,50 @@ +/* +Copyright 2025 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package userns + +import ( + v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" + runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" + kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" +) + +type UsernsManager struct{} + +func MakeUserNsManager(kl userNsPodsManager) (*UsernsManager, error) { + return nil, nil +} + +// Release releases the user namespace allocated to the specified pod. +func (m *UsernsManager) Release(podUID types.UID) { + return +} + +func (m *UsernsManager) GetOrCreateUserNamespaceMappings(pod *v1.Pod, runtimeHandler string) (*runtimeapi.UserNamespace, error) { + return nil, nil +} + +// CleanupOrphanedPodUsernsAllocations reconciliates the state of user namespace +// allocations with the pods actually running. It frees any user namespace +// allocation for orphaned pods. +func (m *UsernsManager) CleanupOrphanedPodUsernsAllocations(pods []*v1.Pod, runningPods []*kubecontainer.Pod) error { + return nil +} + +func EnabledUserNamespacesSupport() bool { + return false +} From 2e0622bf234cc69027e29bc6431b19ee6d7a0cc1 Mon Sep 17 00:00:00 2001 From: Rodrigo Campos Date: Thu, 13 Mar 2025 19:51:14 +0100 Subject: [PATCH 3/4] pkg/kubelet/userns: Wrap error to get mappings I needed to wrap the error for debugging, let's just keep this as it is useful. Signed-off-by: Rodrigo Campos --- pkg/kubelet/userns/userns_manager.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/kubelet/userns/userns_manager.go b/pkg/kubelet/userns/userns_manager.go index fa528b3f8fb..37528b94003 100644 --- a/pkg/kubelet/userns/userns_manager.go +++ b/pkg/kubelet/userns/userns_manager.go @@ -127,7 +127,7 @@ func (m *UsernsManager) readMappingsFromFile(pod types.UID) ([]byte, error) { func MakeUserNsManager(kl userNsPodsManager) (*UsernsManager, error) { kubeletMappingID, kubeletMappingLen, err := kl.GetKubeletMappings() if err != nil { - return nil, err + return nil, fmt.Errorf("kubelet mappings: %w", err) } if kubeletMappingID%userNsLength != 0 { From c9dbae7d069be1d5f73dfc743974a5038ec85a59 Mon Sep 17 00:00:00 2001 From: Rodrigo Campos Date: Thu, 13 Mar 2025 21:22:42 +0100 Subject: [PATCH 4/4] pkg/kubelet/userns: Remove skip on windows We don't build these tests for Windows, let's remove this skip. We should have never added that skip, we should have skipped the entire suite on Windows. Signed-off-by: Rodrigo Campos --- pkg/kubelet/userns/userns_manager_test.go | 7 ------- 1 file changed, 7 deletions(-) diff --git a/pkg/kubelet/userns/userns_manager_test.go b/pkg/kubelet/userns/userns_manager_test.go index 1631b23af05..0e6938c737e 100644 --- a/pkg/kubelet/userns/userns_manager_test.go +++ b/pkg/kubelet/userns/userns_manager_test.go @@ -23,7 +23,6 @@ import ( "errors" "fmt" "os" - goruntime "runtime" "testing" "github.com/stretchr/testify/assert" @@ -292,7 +291,6 @@ func TestGetOrCreateUserNamespaceMappings(t *testing.T) { runtimeUserns bool runtimeHandler string success bool - skipOnWindows bool }{ { name: "no user namespace", @@ -326,7 +324,6 @@ func TestGetOrCreateUserNamespaceMappings(t *testing.T) { expMode: runtimeapi.NamespaceMode_POD, runtimeUserns: true, success: true, - skipOnWindows: true, }, { name: "user namespace, but no runtime support", @@ -351,10 +348,6 @@ func TestGetOrCreateUserNamespaceMappings(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - if tc.skipOnWindows && goruntime.GOOS == "windows" { - // TODO: remove skip once the failing test has been fixed. - t.Skip("Skip failing test on Windows.") - } // These tests will create the userns file, so use an existing podDir. testUserNsPodsManager := &testUserNsPodsManager{ podDir: t.TempDir(),