New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add pod os field #104693
Add pod os field #104693
Conversation
/remove-sig api-machinery |
a5d6d60
to
668bc4b
Compare
/remove-sig api-machinery |
} | ||
// OS based podSecurityContext validation | ||
// TODO: Think if we need to relax this restriction or some of the restrictions | ||
if os != nil && os.Name == "windows" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we add these to the list?
- runAsUser
- runAsGroup
- supplementalGroups
Also note that runAsNonRoot
IS supported for Windows.
// There is some naming overlap between Windows and Linux Security Contexts but all the Windows Specific options | ||
// are set via securityContext.WindowsOptions which we validate below | ||
// TODO: Think if we need to relax this restriction or some of the restrictions | ||
if os != nil && os.Name == "windows" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we add these?
- runAsUser
- runAsGroup
/remove-sig api-machinery |
/retest |
5eb528e
to
b0af59c
Compare
allErrs = append(allErrs, field.Forbidden(fldPath.Child("allowPrivilegeEscalation"), "cannot be set for windows pods")) | ||
} | ||
if sc.ProcMount != nil { | ||
allErrs = append(allErrs, field.Forbidden(fldPath.Child("procMount"), "procMount cannot be set for windows pods")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
allErrs = append(allErrs, field.Forbidden(fldPath.Child("procMount"), "procMount cannot be set for windows pods")) | |
allErrs = append(allErrs, field.Forbidden(fldPath.Child("procMount"), "cannot be set for windows pods")) |
nit
sc := c.SecurityContext | ||
if sc != nil && sc.WindowsOptions != nil { | ||
fldPath := cFldPath.Child("securityContext") | ||
allErrs = append(allErrs, field.Forbidden(fldPath.Child("windowsOptions"), "windows options cannot be set to a linux pod")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
allErrs = append(allErrs, field.Forbidden(fldPath.Child("windowsOptions"), "windows options cannot be set to a linux pod")) | |
allErrs = append(allErrs, field.Forbidden(fldPath.Child("windowsOptions"), "windows options cannot be set on a linux pod")) |
Should this error message be either 'windows options cannot be set for a linux pod' or 'windows options cannot be set on a linux pod'?
'windows options cannot be set on to a linux pod' is a bit confusing to me.
(if we change this we'll need to change the line above and unit tests too)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree either "on" or "for" is better. @ravisantoshgudimetla please change that on all the messages
return allErrs | ||
} | ||
if !opts.AllowOSField { | ||
return append(allErrs, field.Forbidden(fldPath, "cannot be set when IdentifyPodOS feature is not set")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return append(allErrs, field.Forbidden(fldPath, "cannot be set when IdentifyPodOS feature is not set")) | |
return append(allErrs, field.Forbidden(fldPath, "cannot be set when IdentifyPodOS feature is not enabled")) |
very minor nit (feel free to close/ignore)
I have a couple of minor comments regarding error messages but other than that this LGTM. |
e93e6de
to
8a65330
Compare
/lgtm Thanks for the updates @ravisantoshgudimetla |
/test pull-kubernetes-unit |
Once kubernetes#104613 and kubernetes#104693 merge, we'll have OS field in pod spec. Kubelet should start rejecting pods where pod.Spec.OS and node's OS(using runtime.GOOS) won't match
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: