cri: Expose runtimeHandler support for userns

Since kubernetes 1.30, the kubelet will query the runtime handlers features and only start pods with userns if the runtime handler used for that pod supports it. Let's expose the user namespace support to the kubelet. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-02-17 18:54:30 -03:00 · 2024-02-17 18:54:30 -03:00 · 2cd08156ed
commit 2cd08156ed
parent 358aef4bcb
1 changed files with 20 additions and 0 deletions
--- a/internal/cri/server/service.go
+++ b/internal/cri/server/service.go
@ -381,6 +381,9 @@ func (c *criService) introspectRuntimeHandlers(ctx context.Context) ([]*runtime.
 					log.G(ctx).Debugf("runtime %q supports recursive read-only mounts, but the kernel does not", name)
 				}
 			}
+			userns := supportsCRIUserns(rawFeatures)
+			h.Features.UserNamespaces = userns
+			log.G(ctx).Debugf("runtime %q supports CRI userns: %v", name, userns)
 		}
 		res = append(res, &h)
 		if name == c.config.DefaultRuntimeName {
@ -438,3 +441,20 @@ func introspectRuntimeFeatures(ctx context.Context, intro introspection.Service,
 	}
 	return features, nil
 }
+
+func supportsCRIUserns(f *features.Features) bool {
+	if f == nil {
+		return false
+	}
+	userns := slices.Contains(f.Linux.Namespaces, "user")
+
+	var idmap bool
+	if m := f.Linux.MountExtensions; m != nil && m.IDMap != nil && m.IDMap.Enabled != nil {
+		if *m.IDMap.Enabled {
+			idmap = true
+		}
+	}
+
+	// user namespace support in CRI requires userns and idmap support.
+	return userns && idmap
+}