github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-08 03:33:56 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #118691 from giuseppe/drop-check-for-volumes

Browse Source 
apis: drop check for volumes with user namespaces
This commit is contained in:
Kubernetes Prow Robot 2023-06-29 16:23:56 -07:00 committed by GitHub
commit c2b7d25ff8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 17 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/api/pod/util.go
View File

@ -477,7 +477,7 @@ func dropDisabledFields(
} }
// If the feature is disabled and not in use, drop the hostUsers field. // If the feature is disabled and not in use, drop the hostUsers field.
if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesStatelessPodsSupport) && !hostUsersInUse(oldPodSpec) { if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesSupport) && !hostUsersInUse(oldPodSpec) {
// Drop the field in podSpec only if SecurityContext is not nil. // Drop the field in podSpec only if SecurityContext is not nil.
// If it is nil, there is no need to set hostUsers=nil (it will be nil too). // If it is nil, there is no need to set hostUsers=nil (it will be nil too).
if podSpec.SecurityContext != nil { if podSpec.SecurityContext != nil {

2
pkg/api/pod/util_test.go
View File

@ -1700,7 +1700,7 @@ func TestDropHostUsers(t *testing.T) {
} }
t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) { t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.UserNamespacesStatelessPodsSupport, enabled)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.UserNamespacesSupport, enabled)()
DropDisabledPodFields(newPod, oldPod) DropDisabledPodFields(newPod, oldPod)

19
pkg/apis/core/validation/validation.go
View File

@ -3251,25 +3251,6 @@ func validateHostUsers(spec *core.PodSpec, fldPath *field.Path) field.ErrorList
return allErrs return allErrs
} }
// For now only these volumes are supported:
// - configmap
// - secret
// - downwardAPI
// - emptyDir
// - projected
// So reject anything else.
for i, vol := range spec.Volumes {
switch {
case vol.EmptyDir != nil:
case vol.Secret != nil:
case vol.DownwardAPI != nil:
case vol.ConfigMap != nil:
case vol.Projected != nil:
default:
allErrs = append(allErrs, field.Forbidden(fldPath.Child("volumes").Index(i), "volume type not supported when `pod.Spec.HostUsers` is false"))
}
}
// We decided to restrict the usage of userns with other host namespaces: // We decided to restrict the usage of userns with other host namespaces:
// https://github.com/kubernetes/kubernetes/pull/111090#discussion_r935994282 // https://github.com/kubernetes/kubernetes/pull/111090#discussion_r935994282
// The tl;dr is: you can easily run into permission issues that seem unexpected, we don't // The tl;dr is: you can easily run into permission issues that seem unexpected, we don't

5
pkg/apis/core/validation/validation_test.go
View File

@ -21740,8 +21740,8 @@ func TestValidateHostUsers(t *testing.T) {
}}, }},
}, },
}, { }, {
name: "hostUsers=false - unsupported volume", name: "hostUsers=false - stateful volume",
success: false, success: true,
spec: &core.PodSpec{ spec: &core.PodSpec{
SecurityContext: &core.PodSecurityContext{ SecurityContext: &core.PodSecurityContext{
HostUsers: &falseVar, HostUsers: &falseVar,
@ -21754,7 +21754,6 @@ func TestValidateHostUsers(t *testing.T) {
}}, }},
}, },
}, { }, {
// It should ignore unsupported volumes with hostUsers=true.
name: "hostUsers=true - unsupported volume", name: "hostUsers=true - unsupported volume",
success: true, success: true,
spec: &core.PodSpec{ spec: &core.PodSpec{

4
pkg/features/kube_features.go
View File

@ -787,7 +787,7 @@ const (
// alpha: v1.25 // alpha: v1.25
// //
// Enables user namespace support for stateless pods. // Enables user namespace support for stateless pods.
UserNamespacesStatelessPodsSupport featuregate.Feature = "UserNamespacesStatelessPodsSupport" UserNamespacesSupport featuregate.Feature = "UserNamespacesSupport"
// owner: @cofyc // owner: @cofyc
// alpha: v1.21 // alpha: v1.21
@ -1050,7 +1050,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
VolumeCapacityPriority: {Default: false, PreRelease: featuregate.Alpha}, VolumeCapacityPriority: {Default: false, PreRelease: featuregate.Alpha},
UserNamespacesStatelessPodsSupport: {Default: false, PreRelease: featuregate.Alpha}, UserNamespacesSupport: {Default: false, PreRelease: featuregate.Alpha},
WinDSR: {Default: false, PreRelease: featuregate.Alpha}, WinDSR: {Default: false, PreRelease: featuregate.Alpha},

2
pkg/kubelet/kuberuntime/kuberuntime_container_linux.go
View File

@ -55,7 +55,7 @@ func (m *kubeGenericRuntimeManager) applyPlatformSpecificContainerConfig(config
} }
config.Linux = cl config.Linux = cl
if utilfeature.DefaultFeatureGate.Enabled(kubefeatures.UserNamespacesStatelessPodsSupport) { if utilfeature.DefaultFeatureGate.Enabled(kubefeatures.UserNamespacesSupport) {
if cl.SecurityContext.NamespaceOptions.UsernsOptions != nil { if cl.SecurityContext.NamespaceOptions.UsernsOptions != nil {
for _, mount := range config.Mounts { for _, mount := range config.Mounts {
mount.UidMappings = cl.SecurityContext.NamespaceOptions.UsernsOptions.Uids mount.UidMappings = cl.SecurityContext.NamespaceOptions.UsernsOptions.Uids

8
pkg/kubelet/userns/userns_manager.go
View File

@ -142,7 +142,7 @@ func MakeUserNsManager(kl userNsPodsManager) (*UsernsManager, error) {
} }
// do not bother reading the list of pods if user namespaces are not enabled. // do not bother reading the list of pods if user namespaces are not enabled.
if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesStatelessPodsSupport) { if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesSupport) {
return &m, nil return &m, nil
} }
@ -258,7 +258,7 @@ func (m *UsernsManager) record(pod types.UID, from, length uint32) (err error) {
// Release releases the user namespace allocated to the specified pod. // Release releases the user namespace allocated to the specified pod.
func (m *UsernsManager) Release(podUID types.UID) { func (m *UsernsManager) Release(podUID types.UID) {
if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesStatelessPodsSupport) { if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesSupport) {
return return
} }
@ -367,7 +367,7 @@ func (m *UsernsManager) createUserNs(pod *v1.Pod) (userNs userNamespace, err err
// GetOrCreateUserNamespaceMappings returns the configuration for the sandbox user namespace // GetOrCreateUserNamespaceMappings returns the configuration for the sandbox user namespace
func (m *UsernsManager) GetOrCreateUserNamespaceMappings(pod *v1.Pod) (*runtimeapi.UserNamespace, error) { func (m *UsernsManager) GetOrCreateUserNamespaceMappings(pod *v1.Pod) (*runtimeapi.UserNamespace, error) {
if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesStatelessPodsSupport) { if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesSupport) {
return nil, nil return nil, nil
} }
@ -427,7 +427,7 @@ func (m *UsernsManager) GetOrCreateUserNamespaceMappings(pod *v1.Pod) (*runtimea
// allocations with the pods actually running. It frees any user namespace // allocations with the pods actually running. It frees any user namespace
// allocation for orphaned pods. // allocation for orphaned pods.
func (m *UsernsManager) CleanupOrphanedPodUsernsAllocations(pods []*v1.Pod, runningPods []*kubecontainer.Pod) error { func (m *UsernsManager) CleanupOrphanedPodUsernsAllocations(pods []*v1.Pod, runningPods []*kubecontainer.Pod) error {
if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesStatelessPodsSupport) { if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesSupport) {
return nil return nil
} }

4
pkg/kubelet/userns/userns_manager_test.go
View File

@ -40,7 +40,7 @@ func (m *testUserNsPodsManager) ListPodsFromDisk() ([]types.UID, error) {
} }
func TestUserNsManagerAllocate(t *testing.T) { func TestUserNsManagerAllocate(t *testing.T) {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesStatelessPodsSupport, true)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, true)()
testUserNsPodsManager := &testUserNsPodsManager{} testUserNsPodsManager := &testUserNsPodsManager{}
m, err := MakeUserNsManager(testUserNsPodsManager) m, err := MakeUserNsManager(testUserNsPodsManager)
@ -90,7 +90,7 @@ func TestUserNsManagerAllocate(t *testing.T) {
} }
func TestUserNsManagerParseUserNsFile(t *testing.T) { func TestUserNsManagerParseUserNsFile(t *testing.T) {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesStatelessPodsSupport, true)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, true)()
cases := []struct { cases := []struct {
name string name string

8
test/e2e/common/node/security_context.go
View File

@ -72,7 +72,7 @@ var _ = SIGDescribe("Security Context", func() {
} }
} }
ginkgo.It("must create the user namespace if set to false [LinuxOnly] [Feature:UserNamespacesStatelessPodsSupport]", func(ctx context.Context) { ginkgo.It("must create the user namespace if set to false [LinuxOnly] [Feature:UserNamespacesSupport]", func(ctx context.Context) {
// with hostUsers=false the pod must use a new user namespace // with hostUsers=false the pod must use a new user namespace
podClient := e2epod.PodClientNS(f, f.Namespace.Name) podClient := e2epod.PodClientNS(f, f.Namespace.Name)
@ -110,7 +110,7 @@ var _ = SIGDescribe("Security Context", func() {
} }
}) })
ginkgo.It("must not create the user namespace if set to true [LinuxOnly] [Feature:UserNamespacesStatelessPodsSupport]", func(ctx context.Context) { ginkgo.It("must not create the user namespace if set to true [LinuxOnly] [Feature:UserNamespacesSupport]", func(ctx context.Context) {
// with hostUsers=true the pod must use the host user namespace // with hostUsers=true the pod must use the host user namespace
pod := makePod(true) pod := makePod(true)
// When running in the host's user namespace, the /proc/self/uid_map file content looks like: // When running in the host's user namespace, the /proc/self/uid_map file content looks like:
@ -121,7 +121,7 @@ var _ = SIGDescribe("Security Context", func() {
}) })
}) })
ginkgo.It("should mount all volumes with proper permissions with hostUsers=false [LinuxOnly] [Feature:UserNamespacesStatelessPodsSupport]", func(ctx context.Context) { ginkgo.It("should mount all volumes with proper permissions with hostUsers=false [LinuxOnly] [Feature:UserNamespacesSupport]", func(ctx context.Context) {
// Create all volume types supported: configmap, secret, downwardAPI, projected. // Create all volume types supported: configmap, secret, downwardAPI, projected.
// Create configmap. // Create configmap.
@ -245,7 +245,7 @@ var _ = SIGDescribe("Security Context", func() {
}) })
}) })
ginkgo.It("should set FSGroup to user inside the container with hostUsers=false [LinuxOnly] [Feature:UserNamespacesStatelessPodsSupport]", func(ctx context.Context) { ginkgo.It("should set FSGroup to user inside the container with hostUsers=false [LinuxOnly] [Feature:UserNamespacesSupport]", func(ctx context.Context) {
// Create configmap. // Create configmap.
name := "userns-volumes-test-" + string(uuid.NewUUID()) name := "userns-volumes-test-" + string(uuid.NewUUID())
configMap := newConfigMap(f, name) configMap := newConfigMap(f, name)