populate namespace options in runtimeapi.WindowsSandboxSecurityContext + unit tests

Signed-off-by: Mark Rossetti <marosset@microsoft.com>
2025-07-22 19:31:44 +00:00 · 2022-10-10 12:34:37 -07:00 · 2022-10-10 12:34:37 -07:00 · f4305db4ee
commit f4305db4ee
parent 11270f5f87
2 changed files with 97 additions and 3 deletions
--- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
@ -24,8 +24,10 @@ import (

 	v1 "k8s.io/api/core/v1"
 	kubetypes "k8s.io/apimachinery/pkg/types"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 	"k8s.io/klog/v2"
+	"k8s.io/kubernetes/pkg/features"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	runtimeutil "k8s.io/kubernetes/pkg/kubelet/kuberuntime/util"
 	"k8s.io/kubernetes/pkg/kubelet/types"
@ -231,6 +233,15 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxWindowsConfig(pod *v1.Pod)
 		SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{},
 	}

+	if utilfeature.DefaultFeatureGate.Enabled(features.WindowsHostNetwork) {
+		wc.SecurityContext.NamespaceOptions = &runtimeapi.WindowsNamespaceOption{}
+		if kubecontainer.IsHostNetworkPod(pod) {
+			wc.SecurityContext.NamespaceOptions.Network = runtimeapi.NamespaceMode_NODE
+		} else {
+			wc.SecurityContext.NamespaceOptions.Network = runtimeapi.NamespaceMode_POD
+		}
+	}
+
 	// If all of the containers in a pod are HostProcess containers, set the pod's HostProcess field
 	// explicitly because the container runtime requires this information at sandbox creation time.
 	if kubecontainer.HasWindowsHostProcessContainer(pod) {
--- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go
@ -26,7 +26,10 @@ import (
 	"github.com/stretchr/testify/require"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
+	"k8s.io/kubernetes/pkg/features"
 	containertest "k8s.io/kubernetes/pkg/kubelet/container/testing"
 	"k8s.io/kubernetes/pkg/kubelet/runtimeclass"
 	rctest "k8s.io/kubernetes/pkg/kubelet/runtimeclass/testing"
@ -168,7 +171,7 @@ func newSeccompPod(podFieldProfile, containerFieldProfile *v1.SeccompProfile, po
 	return pod
 }

-func TestGeneratePodSandboxWindowsConfig(t *testing.T) {
+func TestGeneratePodSandboxWindowsConfig_HostProcess(t *testing.T) {
 	_, _, m, err := createTestRuntimeManager()
 	require.NoError(t, err)

@ -336,13 +339,93 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
+			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostNetwork, false)()
 			pod := &v1.Pod{}
 			pod.Spec = *testCase.podSpec

 			wc, err := m.generatePodSandboxWindowsConfig(pod)

-			assert.Equal(t, wc, testCase.expectedWindowsConfig)
-			assert.Equal(t, err, testCase.expectedError)
+			assert.Equal(t, testCase.expectedWindowsConfig, wc)
+			assert.Equal(t, testCase.expectedError, err)
+		})
+	}
+}
+
+func TestGeneratePodSandboxWindowsConfig_HostNetwork(t *testing.T) {
+	_, _, m, err := createTestRuntimeManager()
+	require.NoError(t, err)
+
+	const containerName = "container"
+
+	testCases := []struct {
+		name                      string
+		hostNetworkFeatureEnabled bool
+		podSpec                   *v1.PodSpec
+		expectedWindowsConfig     *runtimeapi.WindowsPodSandboxConfig
+	}{
+		{
+			name:                      "feature disabled, hostNetwork=false",
+			hostNetworkFeatureEnabled: false,
+			podSpec: &v1.PodSpec{
+				HostNetwork: false,
+				Containers:  []v1.Container{{Name: containerName}},
+			},
+			expectedWindowsConfig: &runtimeapi.WindowsPodSandboxConfig{
+				SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{},
+			},
+		},
+		{
+			name:                      "feature disabled, hostNetwork=true",
+			hostNetworkFeatureEnabled: false,
+			podSpec: &v1.PodSpec{
+				HostNetwork: true,
+				Containers:  []v1.Container{{Name: containerName}},
+			},
+			expectedWindowsConfig: &runtimeapi.WindowsPodSandboxConfig{
+				SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{},
+			}},
+		{
+			name:                      "feature enabled, hostNetwork=false",
+			hostNetworkFeatureEnabled: true,
+			podSpec: &v1.PodSpec{
+				HostNetwork: false,
+				Containers:  []v1.Container{{Name: containerName}},
+			},
+			expectedWindowsConfig: &runtimeapi.WindowsPodSandboxConfig{
+				SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{
+					NamespaceOptions: &runtimeapi.WindowsNamespaceOption{
+						Network: runtimeapi.NamespaceMode_POD,
+					},
+				},
+			},
+		},
+		{
+			name:                      "feature enabled, hostNetwork=true",
+			hostNetworkFeatureEnabled: true,
+			podSpec: &v1.PodSpec{
+				HostNetwork: true,
+				Containers:  []v1.Container{{Name: containerName}},
+			},
+			expectedWindowsConfig: &runtimeapi.WindowsPodSandboxConfig{
+				SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{
+					NamespaceOptions: &runtimeapi.WindowsNamespaceOption{
+						Network: runtimeapi.NamespaceMode_NODE,
+					},
+				},
+			},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostNetwork, testCase.hostNetworkFeatureEnabled)()
+			pod := &v1.Pod{}
+			pod.Spec = *testCase.podSpec
+
+			wc, err := m.generatePodSandboxWindowsConfig(pod)
+
+			assert.Equal(t, testCase.expectedWindowsConfig, wc)
+			assert.Equal(t, nil, err)
 		})
 	}
 }