deprecate ExperimentalHostUserNamespaceDefaulting

2026-01-04 23:17:50 +00:00 · 2023-03-17 17:25:23 +00:00
parent aa0fea6944
commit eb60dce33b
5 changed files with 52 additions and 372 deletions
--- a/pkg/kubelet/kubelet_pods_test.go
+++ b/pkg/kubelet/kubelet_pods_test.go
@@ -3437,222 +3437,6 @@ func TestGetPortForward(t *testing.T) {
 	}
 }

-func TestHasHostMountPVC(t *testing.T) {
-	type testcase struct {
-		pvError         error
-		pvcError        error
-		expected        bool
-		podHasPVC       bool
-		pvcIsHostPath   bool
-		podHasEphemeral bool
-	}
-	tests := map[string]testcase{
-		"no pvc": {podHasPVC: false, expected: false},
-		"error fetching pvc": {
-			podHasPVC: true,
-			pvcError:  fmt.Errorf("foo"),
-			expected:  false,
-		},
-		"error fetching pv": {
-			podHasPVC: true,
-			pvError:   fmt.Errorf("foo"),
-			expected:  false,
-		},
-		"host path pvc": {
-			podHasPVC:     true,
-			pvcIsHostPath: true,
-			expected:      true,
-		},
-		"enabled ephemeral host path": {
-			podHasEphemeral: true,
-			pvcIsHostPath:   true,
-			expected:        true,
-		},
-		"non host path pvc": {
-			podHasPVC:     true,
-			pvcIsHostPath: false,
-			expected:      false,
-		},
-	}
-
-	run := func(t *testing.T, v testcase) {
-		ctx := context.Background()
-		testKubelet := newTestKubelet(t, false)
-		defer testKubelet.Cleanup()
-		pod := &v1.Pod{
-			Spec: v1.PodSpec{},
-		}
-
-		volumeToReturn := &v1.PersistentVolume{
-			Spec: v1.PersistentVolumeSpec{},
-		}
-
-		if v.podHasPVC {
-			pod.Spec.Volumes = []v1.Volume{
-				{
-					VolumeSource: v1.VolumeSource{
-						PersistentVolumeClaim: &v1.PersistentVolumeClaimVolumeSource{},
-					},
-				},
-			}
-		}
-
-		if v.podHasEphemeral {
-			pod.Spec.Volumes = []v1.Volume{
-				{
-					Name: "xyz",
-					VolumeSource: v1.VolumeSource{
-						Ephemeral: &v1.EphemeralVolumeSource{},
-					},
-				},
-			}
-		}
-
-		if (v.podHasPVC || v.podHasEphemeral) && v.pvcIsHostPath {
-			volumeToReturn.Spec.PersistentVolumeSource = v1.PersistentVolumeSource{
-				HostPath: &v1.HostPathVolumeSource{},
-			}
-		}
-
-		testKubelet.fakeKubeClient.AddReactor("get", "persistentvolumeclaims", func(action core.Action) (bool, runtime.Object, error) {
-			return true, &v1.PersistentVolumeClaim{
-				Spec: v1.PersistentVolumeClaimSpec{
-					VolumeName: "foo",
-				},
-			}, v.pvcError
-		})
-		testKubelet.fakeKubeClient.AddReactor("get", "persistentvolumes", func(action core.Action) (bool, runtime.Object, error) {
-			return true, volumeToReturn, v.pvError
-		})
-
-		actual := testKubelet.kubelet.hasHostMountPVC(ctx, pod)
-		if actual != v.expected {
-			t.Errorf("expected %t but got %t", v.expected, actual)
-		}
-	}
-
-	for k, v := range tests {
-		t.Run(k, func(t *testing.T) {
-			run(t, v)
-		})
-	}
-}
-
-func TestHasNonNamespacedCapability(t *testing.T) {
-	createPodWithCap := func(caps []v1.Capability) *v1.Pod {
-		pod := &v1.Pod{
-			Spec: v1.PodSpec{
-				Containers: []v1.Container{{}},
-			},
-		}
-
-		if len(caps) > 0 {
-			pod.Spec.Containers[0].SecurityContext = &v1.SecurityContext{
-				Capabilities: &v1.Capabilities{
-					Add: caps,
-				},
-			}
-		}
-		return pod
-	}
-
-	nilCaps := createPodWithCap([]v1.Capability{v1.Capability("foo")})
-	nilCaps.Spec.Containers[0].SecurityContext = nil
-
-	tests := map[string]struct {
-		pod      *v1.Pod
-		expected bool
-	}{
-		"nil security contxt":           {createPodWithCap(nil), false},
-		"nil caps":                      {nilCaps, false},
-		"namespaced cap":                {createPodWithCap([]v1.Capability{v1.Capability("foo")}), false},
-		"non-namespaced cap MKNOD":      {createPodWithCap([]v1.Capability{v1.Capability("MKNOD")}), true},
-		"non-namespaced cap SYS_TIME":   {createPodWithCap([]v1.Capability{v1.Capability("SYS_TIME")}), true},
-		"non-namespaced cap SYS_MODULE": {createPodWithCap([]v1.Capability{v1.Capability("SYS_MODULE")}), true},
-	}
-
-	for k, v := range tests {
-		actual := hasNonNamespacedCapability(v.pod)
-		if actual != v.expected {
-			t.Errorf("%s failed, expected %t but got %t", k, v.expected, actual)
-		}
-	}
-}
-
-func TestHasHostVolume(t *testing.T) {
-	pod := &v1.Pod{
-		Spec: v1.PodSpec{
-			Volumes: []v1.Volume{
-				{
-					VolumeSource: v1.VolumeSource{
-						HostPath: &v1.HostPathVolumeSource{},
-					},
-				},
-			},
-		},
-	}
-
-	result := hasHostVolume(pod)
-	if !result {
-		t.Errorf("expected host volume to enable host user namespace")
-	}
-
-	pod.Spec.Volumes[0].VolumeSource.HostPath = nil
-	result = hasHostVolume(pod)
-	if result {
-		t.Errorf("expected nil host volume to not enable host user namespace")
-	}
-}
-
-func TestHasHostNamespace(t *testing.T) {
-	tests := map[string]struct {
-		ps       v1.PodSpec
-		expected bool
-	}{
-		"nil psc": {
-			ps:       v1.PodSpec{},
-			expected: false},
-
-		"host pid true": {
-			ps: v1.PodSpec{
-				HostPID:         true,
-				SecurityContext: &v1.PodSecurityContext{},
-			},
-			expected: true,
-		},
-		"host ipc true": {
-			ps: v1.PodSpec{
-				HostIPC:         true,
-				SecurityContext: &v1.PodSecurityContext{},
-			},
-			expected: true,
-		},
-		"host net true": {
-			ps: v1.PodSpec{
-				HostNetwork:     true,
-				SecurityContext: &v1.PodSecurityContext{},
-			},
-			expected: true,
-		},
-		"no host ns": {
-			ps: v1.PodSpec{
-				SecurityContext: &v1.PodSecurityContext{},
-			},
-			expected: false,
-		},
-	}
-
-	for k, v := range tests {
-		pod := &v1.Pod{
-			Spec: v.ps,
-		}
-		actual := hasHostNamespace(pod)
-		if actual != v.expected {
-			t.Errorf("%s failed, expected %t but got %t", k, v.expected, actual)
-		}
-	}
-}
-
 func TestTruncatePodHostname(t *testing.T) {
 	for c, test := range map[string]struct {
 		input  string