cleanup TODOs in dockershim

pkg/kubelet/dockershim/helpers.go

@@ -133,8 +133,6 @@ func generateMountBindings(mounts []*runtimeApi.Mount) (result []string) {
 		// does not provide an SELinux context relabeling will label the volume with
 		// the container's randomly allocated MCS label. This would restrict access
 		// to the volume to the container which mounts it first.
-		// TODO: always relabel if SELinux is enabled and the volume support relabeling
-		// (refer #33951 and #33663).
 		if m.GetSelinuxRelabel() {
 			if readOnly {
 				bind += ",Z"

pkg/kubelet/dockershim/security_context.go

@@ -36,16 +36,11 @@ func applySandboxSecurityContext(lc *runtimeapi.LinuxPodSandboxConfig, config *d
 	var sc *runtimeapi.LinuxContainerSecurityContext
 	if lc.SecurityContext != nil {
 		sc = &runtimeapi.LinuxContainerSecurityContext{
-			// TODO: We skip application of supplemental groups to the
+			SupplementalGroups: lc.SecurityContext.SupplementalGroups,
-			// sandbox container to work around a runc issue which
+			RunAsUser:          lc.SecurityContext.RunAsUser,
-			// requires containers to have the '/etc/group'. For more
+			ReadonlyRootfs:     lc.SecurityContext.ReadonlyRootfs,
-			// information see: https://github.com/opencontainers/runc/pull/313.
+			SelinuxOptions:     lc.SecurityContext.SelinuxOptions,
-			// This can be removed once the fix makes it into the required
+			NamespaceOptions:   lc.SecurityContext.NamespaceOptions,
-			// version of docker.
-			RunAsUser:        lc.SecurityContext.RunAsUser,
-			ReadonlyRootfs:   lc.SecurityContext.ReadonlyRootfs,
-			SelinuxOptions:   lc.SecurityContext.SelinuxOptions,
-			NamespaceOptions: lc.SecurityContext.NamespaceOptions,
 		}
 	}
 
@@ -128,7 +123,7 @@ func modifyNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, sandboxID string
 	if sandboxID == "" {
 		modifyHostNetworkOptionForSandbox(hostNetwork, hostConfig)
 	} else {
-		// Set for container is sandboxID is provided.
+		// Set for container if sandboxID is provided.
 		modifyHostNetworkOptionForContainer(hostNetwork, sandboxID, hostConfig)
 	}
 }

pkg/kubelet/dockershim/security_context_test.go

@@ -61,6 +61,9 @@ func TestModifyContainerConfig(t *testing.T) {
 
 func TestModifyHostConfig(t *testing.T) {
 	priv := true
+	setNetworkHC := &dockercontainer.HostConfig{
+		NetworkMode: "none",
+	}
 	setPrivSC := &runtimeapi.LinuxContainerSecurityContext{}
 	setPrivSC.Privileged = &priv
 	setPrivHC := &dockercontainer.HostConfig{
@@ -92,6 +95,11 @@ func TestModifyHostConfig(t *testing.T) {
 			sc:       fullValidSecurityContext(),
 			expected: fullValidHostConfig(),
 		},
+		{
+			name:     "empty container.SecurityContext",
+			sc:       &runtimeapi.LinuxContainerSecurityContext{},
+			expected: setNetworkHC,
+		},
 		{
 			name:     "container.SecurityContext.Privileged",
 			sc:       setPrivSC,

pkg/kubelet/kuberuntime/kuberuntime_sandbox.go

@@ -149,6 +149,9 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *api.Pod,
 			RunAsUser: sc.RunAsUser,
 		}
 
+		if sc.FSGroup != nil {
+			lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, *sc.FSGroup)
+		}
 		if groups := m.runtimeHelper.GetExtraSupplementalGroupsForPod(pod); len(groups) > 0 {
 			lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, groups...)
 		}