From 2cd08156ed1b8f55266fe1187c57ab6ffbf13ddf Mon Sep 17 00:00:00 2001
From: Rodrigo Campos <rodrigoca@microsoft.com>
Date: Sat, 17 Feb 2024 18:54:30 -0300
Subject: [PATCH] cri: Expose runtimeHandler support for userns

Since kubernetes 1.30, the kubelet will query the runtime handlers
features and only start pods with userns if the runtime handler used for
that pod supports it.

Let's expose the user namespace support to the kubelet.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
---
 internal/cri/server/service.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/internal/cri/server/service.go b/internal/cri/server/service.go
index 8e82d226f..182590f60 100644
--- a/internal/cri/server/service.go
+++ b/internal/cri/server/service.go
@@ -381,6 +381,9 @@ func (c *criService) introspectRuntimeHandlers(ctx context.Context) ([]*runtime.
 					log.G(ctx).Debugf("runtime %q supports recursive read-only mounts, but the kernel does not", name)
 				}
 			}
+			userns := supportsCRIUserns(rawFeatures)
+			h.Features.UserNamespaces = userns
+			log.G(ctx).Debugf("runtime %q supports CRI userns: %v", name, userns)
 		}
 		res = append(res, &h)
 		if name == c.config.DefaultRuntimeName {
@@ -438,3 +441,20 @@ func introspectRuntimeFeatures(ctx context.Context, intro introspection.Service,
 	}
 	return features, nil
 }
+
+func supportsCRIUserns(f *features.Features) bool {
+	if f == nil {
+		return false
+	}
+	userns := slices.Contains(f.Linux.Namespaces, "user")
+
+	var idmap bool
+	if m := f.Linux.MountExtensions; m != nil && m.IDMap != nil && m.IDMap.Enabled != nil {
+		if *m.IDMap.Enabled {
+			idmap = true
+		}
+	}
+
+	// user namespace support in CRI requires userns and idmap support.
+	return userns && idmap
+}