github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

cri: Expose runtimeHandler support for userns

Browse Source 
Since kubernetes 1.30, the kubelet will query the runtime handlers
features and only start pods with userns if the runtime handler used for
that pod supports it.

Let's expose the user namespace support to the kubelet.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
This commit is contained in:
Rodrigo Campos 2024-02-17 18:54:30 -03:00 committed by Rodrigo Campos
parent 358aef4bcb
commit 2cd08156ed
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
internal/cri/server/service.go
View File

@ -381,6 +381,9 @@ func (c *criService) introspectRuntimeHandlers(ctx context.Context) ([]*runtime.
log.G(ctx).Debugf("runtime %q supports recursive read-only mounts, but the kernel does not", name) log.G(ctx).Debugf("runtime %q supports recursive read-only mounts, but the kernel does not", name)
} }
} }
userns := supportsCRIUserns(rawFeatures)
h.Features.UserNamespaces = userns
log.G(ctx).Debugf("runtime %q supports CRI userns: %v", name, userns)
} }
res = append(res, &h) res = append(res, &h)
if name == c.config.DefaultRuntimeName { if name == c.config.DefaultRuntimeName {
@ -438,3 +441,20 @@ func introspectRuntimeFeatures(ctx context.Context, intro introspection.Service,
} }
return features, nil return features, nil
} }
func supportsCRIUserns(f *features.Features) bool {
if f == nil {
return false
}
userns := slices.Contains(f.Linux.Namespaces, "user")
var idmap bool
if m := f.Linux.MountExtensions; m != nil && m.IDMap != nil && m.IDMap.Enabled != nil {
if *m.IDMap.Enabled {
idmap = true
}
}
// user namespace support in CRI requires userns and idmap support.
return userns && idmap
}