cleanup TODOs in dockershim

2025-07-25 12:43:23 +00:00 · 2016-11-07 11:41:06 +08:00 · 2016-11-07 11:41:06 +08:00 · f8e5f81fed
commit f8e5f81fed
parent 3aee57d4ae
4 changed files with 17 additions and 13 deletions
--- a/pkg/kubelet/dockershim/helpers.go
+++ b/pkg/kubelet/dockershim/helpers.go
@ -133,8 +133,6 @@ func generateMountBindings(mounts []*runtimeApi.Mount) (result []string) {
 		// does not provide an SELinux context relabeling will label the volume with
 		// the container's randomly allocated MCS label. This would restrict access
 		// to the volume to the container which mounts it first.
-		// TODO: always relabel if SELinux is enabled and the volume support relabeling
-		// (refer #33951 and #33663).
 		if m.GetSelinuxRelabel() {
 			if readOnly {
 				bind += ",Z"
--- a/pkg/kubelet/dockershim/security_context.go
+++ b/pkg/kubelet/dockershim/security_context.go
@ -36,16 +36,11 @@ func applySandboxSecurityContext(lc *runtimeapi.LinuxPodSandboxConfig, config *d
 	var sc *runtimeapi.LinuxContainerSecurityContext
 	if lc.SecurityContext != nil {
 		sc = &runtimeapi.LinuxContainerSecurityContext{
-			// TODO: We skip application of supplemental groups to the
-			// sandbox container to work around a runc issue which
-			// requires containers to have the '/etc/group'. For more
-			// information see: https://github.com/opencontainers/runc/pull/313.
-			// This can be removed once the fix makes it into the required
-			// version of docker.
-			RunAsUser:        lc.SecurityContext.RunAsUser,
-			ReadonlyRootfs:   lc.SecurityContext.ReadonlyRootfs,
-			SelinuxOptions:   lc.SecurityContext.SelinuxOptions,
-			NamespaceOptions: lc.SecurityContext.NamespaceOptions,
+			SupplementalGroups: lc.SecurityContext.SupplementalGroups,
+			RunAsUser:          lc.SecurityContext.RunAsUser,
+			ReadonlyRootfs:     lc.SecurityContext.ReadonlyRootfs,
+			SelinuxOptions:     lc.SecurityContext.SelinuxOptions,
+			NamespaceOptions:   lc.SecurityContext.NamespaceOptions,
 		}
 	}

@ -128,7 +123,7 @@ func modifyNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, sandboxID string
 	if sandboxID == "" {
 		modifyHostNetworkOptionForSandbox(hostNetwork, hostConfig)
 	} else {
-		// Set for container is sandboxID is provided.
+		// Set for container if sandboxID is provided.
 		modifyHostNetworkOptionForContainer(hostNetwork, sandboxID, hostConfig)
 	}
 }
--- a/pkg/kubelet/dockershim/security_context_test.go
+++ b/pkg/kubelet/dockershim/security_context_test.go
@ -61,6 +61,9 @@ func TestModifyContainerConfig(t *testing.T) {

 func TestModifyHostConfig(t *testing.T) {
 	priv := true
+	setNetworkHC := &dockercontainer.HostConfig{
+		NetworkMode: "none",
+	}
 	setPrivSC := &runtimeapi.LinuxContainerSecurityContext{}
 	setPrivSC.Privileged = &priv
 	setPrivHC := &dockercontainer.HostConfig{
@ -92,6 +95,11 @@ func TestModifyHostConfig(t *testing.T) {
 			sc:       fullValidSecurityContext(),
 			expected: fullValidHostConfig(),
 		},
+		{
+			name:     "empty container.SecurityContext",
+			sc:       &runtimeapi.LinuxContainerSecurityContext{},
+			expected: setNetworkHC,
+		},
 		{
 			name:     "container.SecurityContext.Privileged",
 			sc:       setPrivSC,
--- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
@ -149,6 +149,9 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *api.Pod,
 			RunAsUser: sc.RunAsUser,
 		}

+		if sc.FSGroup != nil {
+			lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, *sc.FSGroup)
+		}
 		if groups := m.runtimeHelper.GetExtraSupplementalGroupsForPod(pod); len(groups) > 0 {
 			lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, groups...)
 		}