From d05bcf6800e168d3b83615e270ff42e1d9ecb14c Mon Sep 17 00:00:00 2001 From: Lee Verberne Date: Sun, 3 Nov 2019 17:13:32 +0000 Subject: [PATCH] Add namespace mode targeting to dockershim --- pkg/kubelet/dockershim/security_context.go | 21 +++++---- .../dockershim/security_context_test.go | 44 +++++++++++++++++++ 2 files changed, 54 insertions(+), 11 deletions(-) diff --git a/pkg/kubelet/dockershim/security_context.go b/pkg/kubelet/dockershim/security_context.go index 8f52b261154..38fed8daded 100644 --- a/pkg/kubelet/dockershim/security_context.go +++ b/pkg/kubelet/dockershim/security_context.go @@ -146,24 +146,23 @@ func modifyHostConfig(sc *runtimeapi.LinuxContainerSecurityContext, hostConfig * // modifySandboxNamespaceOptions apply namespace options for sandbox func modifySandboxNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, hostConfig *dockercontainer.HostConfig, network *knetwork.PluginManager) { // The sandbox's PID namespace is the one that's shared, so CONTAINER and POD are equivalent for it - modifyCommonNamespaceOptions(nsOpts, hostConfig) + if nsOpts.GetPid() == runtimeapi.NamespaceMode_NODE { + hostConfig.PidMode = namespaceModeHost + } modifyHostOptionsForSandbox(nsOpts, network, hostConfig) } // modifyContainerNamespaceOptions apply namespace options for container func modifyContainerNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, podSandboxID string, hostConfig *dockercontainer.HostConfig) { - if nsOpts.GetPid() == runtimeapi.NamespaceMode_POD { - hostConfig.PidMode = dockercontainer.PidMode(fmt.Sprintf("container:%v", podSandboxID)) - } - modifyCommonNamespaceOptions(nsOpts, hostConfig) - modifyHostOptionsForContainer(nsOpts, podSandboxID, hostConfig) -} - -// modifyCommonNamespaceOptions apply common namespace options for sandbox and container -func modifyCommonNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, hostConfig *dockercontainer.HostConfig) { - if nsOpts.GetPid() == runtimeapi.NamespaceMode_NODE { + switch nsOpts.GetPid() { + case runtimeapi.NamespaceMode_NODE: hostConfig.PidMode = namespaceModeHost + case runtimeapi.NamespaceMode_POD: + hostConfig.PidMode = dockercontainer.PidMode(fmt.Sprintf("container:%v", podSandboxID)) + case runtimeapi.NamespaceMode_TARGET: + hostConfig.PidMode = dockercontainer.PidMode(fmt.Sprintf("container:%v", nsOpts.GetTargetId())) } + modifyHostOptionsForContainer(nsOpts, podSandboxID, hostConfig) } // modifyHostOptionsForSandbox applies NetworkMode/UTSMode to sandbox's dockercontainer.HostConfig. diff --git a/pkg/kubelet/dockershim/security_context_test.go b/pkg/kubelet/dockershim/security_context_test.go index d653c071179..46fb825adcf 100644 --- a/pkg/kubelet/dockershim/security_context_test.go +++ b/pkg/kubelet/dockershim/security_context_test.go @@ -345,6 +345,27 @@ func TestModifySandboxNamespaceOptions(t *testing.T) { NetworkMode: "default", }, }, + { + name: "Pod PID NamespaceOption (for sandbox is same as container ns option)", + nsOpt: &runtimeapi.NamespaceOption{ + Pid: runtimeapi.NamespaceMode_POD, + }, + expected: &dockercontainer.HostConfig{ + PidMode: "", + NetworkMode: "default", + }, + }, + { + name: "Target PID NamespaceOption (invalid for sandbox)", + nsOpt: &runtimeapi.NamespaceOption{ + Pid: runtimeapi.NamespaceMode_TARGET, + TargetId: "same-container", + }, + expected: &dockercontainer.HostConfig{ + PidMode: "", + NetworkMode: "default", + }, + }, } for _, tc := range cases { dockerCfg := &dockercontainer.HostConfig{} @@ -395,6 +416,29 @@ func TestModifyContainerNamespaceOptions(t *testing.T) { PidMode: namespaceModeHost, }, }, + { + name: "Pod PID NamespaceOption", + nsOpt: &runtimeapi.NamespaceOption{ + Pid: runtimeapi.NamespaceMode_POD, + }, + expected: &dockercontainer.HostConfig{ + NetworkMode: dockercontainer.NetworkMode(sandboxNSMode), + IpcMode: dockercontainer.IpcMode(sandboxNSMode), + PidMode: dockercontainer.PidMode(sandboxNSMode), + }, + }, + { + name: "Target PID NamespaceOption", + nsOpt: &runtimeapi.NamespaceOption{ + Pid: runtimeapi.NamespaceMode_TARGET, + TargetId: "some-container", + }, + expected: &dockercontainer.HostConfig{ + NetworkMode: dockercontainer.NetworkMode(sandboxNSMode), + IpcMode: dockercontainer.IpcMode(sandboxNSMode), + PidMode: dockercontainer.PidMode("container:some-container"), + }, + }, } for _, tc := range cases { dockerCfg := &dockercontainer.HostConfig{}