From f4305db4ee53472232b832bd95ce2ab67d454d80 Mon Sep 17 00:00:00 2001 From: Mark Rossetti Date: Mon, 10 Oct 2022 12:34:37 -0700 Subject: [PATCH] populate namespace options in runtimeapi.WindowsSandboxSecurityContext + unit tests Signed-off-by: Mark Rossetti --- .../kuberuntime/kuberuntime_sandbox.go | 11 +++ .../kuberuntime/kuberuntime_sandbox_test.go | 89 ++++++++++++++++++- 2 files changed, 97 insertions(+), 3 deletions(-) diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go index ee209f53ef1..90a6fb5a63b 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go @@ -24,8 +24,10 @@ import ( v1 "k8s.io/api/core/v1" kubetypes "k8s.io/apimachinery/pkg/types" + utilfeature "k8s.io/apiserver/pkg/util/feature" runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" "k8s.io/klog/v2" + "k8s.io/kubernetes/pkg/features" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" runtimeutil "k8s.io/kubernetes/pkg/kubelet/kuberuntime/util" "k8s.io/kubernetes/pkg/kubelet/types" @@ -231,6 +233,15 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxWindowsConfig(pod *v1.Pod) SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{}, } + if utilfeature.DefaultFeatureGate.Enabled(features.WindowsHostNetwork) { + wc.SecurityContext.NamespaceOptions = &runtimeapi.WindowsNamespaceOption{} + if kubecontainer.IsHostNetworkPod(pod) { + wc.SecurityContext.NamespaceOptions.Network = runtimeapi.NamespaceMode_NODE + } else { + wc.SecurityContext.NamespaceOptions.Network = runtimeapi.NamespaceMode_POD + } + } + // If all of the containers in a pod are HostProcess containers, set the pod's HostProcess field // explicitly because the container runtime requires this information at sandbox creation time. if kubecontainer.HasWindowsHostProcessContainer(pod) { diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go index cd90a72bdfb..609a3c751ca 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go @@ -26,7 +26,10 @@ import ( "github.com/stretchr/testify/require" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + utilfeature "k8s.io/apiserver/pkg/util/feature" + featuregatetesting "k8s.io/component-base/featuregate/testing" runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" + "k8s.io/kubernetes/pkg/features" containertest "k8s.io/kubernetes/pkg/kubelet/container/testing" "k8s.io/kubernetes/pkg/kubelet/runtimeclass" rctest "k8s.io/kubernetes/pkg/kubelet/runtimeclass/testing" @@ -168,7 +171,7 @@ func newSeccompPod(podFieldProfile, containerFieldProfile *v1.SeccompProfile, po return pod } -func TestGeneratePodSandboxWindowsConfig(t *testing.T) { +func TestGeneratePodSandboxWindowsConfig_HostProcess(t *testing.T) { _, _, m, err := createTestRuntimeManager() require.NoError(t, err) @@ -336,13 +339,93 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) { for _, testCase := range testCases { t.Run(testCase.name, func(t *testing.T) { + defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostNetwork, false)() pod := &v1.Pod{} pod.Spec = *testCase.podSpec wc, err := m.generatePodSandboxWindowsConfig(pod) - assert.Equal(t, wc, testCase.expectedWindowsConfig) - assert.Equal(t, err, testCase.expectedError) + assert.Equal(t, testCase.expectedWindowsConfig, wc) + assert.Equal(t, testCase.expectedError, err) + }) + } +} + +func TestGeneratePodSandboxWindowsConfig_HostNetwork(t *testing.T) { + _, _, m, err := createTestRuntimeManager() + require.NoError(t, err) + + const containerName = "container" + + testCases := []struct { + name string + hostNetworkFeatureEnabled bool + podSpec *v1.PodSpec + expectedWindowsConfig *runtimeapi.WindowsPodSandboxConfig + }{ + { + name: "feature disabled, hostNetwork=false", + hostNetworkFeatureEnabled: false, + podSpec: &v1.PodSpec{ + HostNetwork: false, + Containers: []v1.Container{{Name: containerName}}, + }, + expectedWindowsConfig: &runtimeapi.WindowsPodSandboxConfig{ + SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{}, + }, + }, + { + name: "feature disabled, hostNetwork=true", + hostNetworkFeatureEnabled: false, + podSpec: &v1.PodSpec{ + HostNetwork: true, + Containers: []v1.Container{{Name: containerName}}, + }, + expectedWindowsConfig: &runtimeapi.WindowsPodSandboxConfig{ + SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{}, + }}, + { + name: "feature enabled, hostNetwork=false", + hostNetworkFeatureEnabled: true, + podSpec: &v1.PodSpec{ + HostNetwork: false, + Containers: []v1.Container{{Name: containerName}}, + }, + expectedWindowsConfig: &runtimeapi.WindowsPodSandboxConfig{ + SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{ + NamespaceOptions: &runtimeapi.WindowsNamespaceOption{ + Network: runtimeapi.NamespaceMode_POD, + }, + }, + }, + }, + { + name: "feature enabled, hostNetwork=true", + hostNetworkFeatureEnabled: true, + podSpec: &v1.PodSpec{ + HostNetwork: true, + Containers: []v1.Container{{Name: containerName}}, + }, + expectedWindowsConfig: &runtimeapi.WindowsPodSandboxConfig{ + SecurityContext: &runtimeapi.WindowsSandboxSecurityContext{ + NamespaceOptions: &runtimeapi.WindowsNamespaceOption{ + Network: runtimeapi.NamespaceMode_NODE, + }, + }, + }, + }, + } + + for _, testCase := range testCases { + t.Run(testCase.name, func(t *testing.T) { + defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostNetwork, testCase.hostNetworkFeatureEnabled)() + pod := &v1.Pod{} + pod.Spec = *testCase.podSpec + + wc, err := m.generatePodSandboxWindowsConfig(pod) + + assert.Equal(t, testCase.expectedWindowsConfig, wc) + assert.Equal(t, nil, err) }) } }