Add support for user namespaces phase 1 (KEP 127) #111090
Merged
+2,763
−947
Commits on Aug 2, 2022
-
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-
pkg/apis, staging: add HostUsers to pod spec
It is used to request that a pod runs in a unique user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com> Co-authored-by: Rodrigo Campos <rodrigoca@microsoft.com>
Commits on Aug 3, 2022
-
features: add UserNamespacesSupport feature
define a feature gate for the user namespaces support. The feature is not enabled by default. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-
apis: add validation for HostUsers
This commit just adds a validation according to KEP-127. We check that only the supported volumes for phase 1 of the KEP are accepted. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
-
it is used to allocate and keep track of the unique users ranges assigned to each pod that runs in a user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com> Co-authored-by: Rodrigo Campos <rodrigoca@microsoft.com>
-
kubelet: add GetUserNamespaceMappings to RuntimeHelper
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-
kubelet: add GetHostIDsForPod()
In future commits we will need this to set the user/group of supported volumes of KEP 127 - Phase 1. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
-
volume: use GetHostIDsForPod()
This commit only changes the UID/GID if user namespaces is enabled. When it is enabled, it changes it so the hostUID and hostGID that are mapped to the currently used UID/GID. This is needed so volumes are created with the hostUID/hostGID and the user inside the container can read them. If user namespaces are disabled for this pod, this is a no-op: there is no user namespace mapping, so the hostUID/hostGID are the same as inside the container. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
-
kubelet: propagate errors from namespacesForPod
it is a preparatory change for the next commit. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-
kubelet: set user namespace options
Set the user namespace options to use for the pod. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
-
tests: add e2e tests for userns
Co-authored-by: Rodrigo Campos <rodrigoca@microsoft.com> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
-
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.