Merge pull request #1260 from bart0sh/PR0001-container-annotations

Use container annotations when creating containers
2019-09-12 16:36:59 -07:00 · 2019-09-12 16:36:59 -07:00 · 3a6510756e
commit 3a6510756e
parent 307e802aa5 738179542a
4 changed files with 72 additions and 1 deletions
--- a/docs/config.md
+++ b/docs/config.md
@ -117,6 +117,11 @@ version = 2
      # * OCI: https://github.com/opencontainers/image-spec/blob/master/annotations.md
      pod_annotations = []

+      # container_annotations is a list of container annotations passed through to the OCI config of the containers.
+      # Container annotations in CRI are usually generated by other Kubernetes node components (i.e., not users).
+      # Currently, only device plugins populate the annotations.
+      container_annotations = []
+
      # privileged_without_host_devices allows overloading the default behaviour of passing host
      # devices through to privileged containers. This is useful when using a runtime where it does
      # not make sense to pass host devices to the container when privileged. Defaults to false -
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@ -38,6 +38,10 @@ type Runtime struct {
 	// PodAnnotations is a list of pod annotations passed to both pod sandbox as well as
 	// container OCI annotations.
 	PodAnnotations []string `toml:"pod_annotations" json:"PodAnnotations"`
+	// ContainerAnnotations is a list of container annotations passed through to the OCI config of the containers.
+	// Container annotations in CRI are usually generated by other Kubernetes node components (i.e., not users).
+	// Currently, only device plugins populate the annotations.
+	ContainerAnnotations []string `toml:"container_annotations" json:"ContainerAnnotations"`
 	// Root is the directory used by containerd for runtime state.
 	// DEPRECATED: use Options instead. Remove when shim v1 is deprecated.
 	// This only works for runtime type "io.containerd.runtime.v1.linux".
--- a/pkg/server/container_create_unix.go
+++ b/pkg/server/container_create_unix.go
@ -210,6 +210,11 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
 		specOpts = append(specOpts, customopts.WithAnnotation(pKey, pValue))
 	}

+	for pKey, pValue := range getPassthroughAnnotations(config.Annotations,
+		ociRuntime.ContainerAnnotations) {
+		specOpts = append(specOpts, customopts.WithAnnotation(pKey, pValue))
+	}
+
 	specOpts = append(specOpts,
 		customopts.WithOOMScoreAdj(config, c.config.RestrictOOMScoreAdj),
 		customopts.WithPodNamespaces(securityContext, sandboxPid),
--- a/pkg/server/container_create_unix_test.go
+++ b/pkg/server/container_create_unix_test.go
@ -98,7 +98,7 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 			},
 		},
 		Labels:      map[string]string{"a": "b"},
-		Annotations: map[string]string{"c": "d"},
+		Annotations: map[string]string{"ca-c": "ca-d"},
 		Linux: &runtime.LinuxContainerConfig{
 			Resources: &runtime.LinuxContainerResources{
 				CpuPeriod:          100,
@ -367,7 +367,64 @@ func TestPodAnnotationPassthroughContainerSpec(t *testing.T) {
 			}
 		})
 	}
+}

+func TestContainerAnnotationPassthroughContainerSpec(t *testing.T) {
+	testID := "test-id"
+	testSandboxID := "sandbox-id"
+	testPid := uint32(1234)
+
+	for desc, test := range map[string]struct {
+		podAnnotations       []string
+		containerAnnotations []string
+		configChange         func(*runtime.PodSandboxConfig)
+		specCheck            func(*testing.T, *runtimespec.Spec)
+	}{
+		"passthrough annotations from pod and container should be passed as an OCI annotation": {
+			podAnnotations:       []string{"c"},
+			containerAnnotations: []string{"c*"}, // wildcard should pick up ca-c->ca-d pair in container
+			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
+				assert.Equal(t, "d", spec.Annotations["c"])
+				assert.Equal(t, "ca-d", spec.Annotations["ca-c"])
+			},
+		},
+		"annotations should not pass through if no passthrough annotations are configured": {
+			podAnnotations:       []string{},
+			containerAnnotations: []string{},
+			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
+				assert.Equal(t, "", spec.Annotations["c"])
+				assert.Equal(t, "", spec.Annotations["ca-c"])
+			},
+		},
+		"unmatched annotations should not pass through even if passthrough annotations are configured": {
+			podAnnotations:       []string{"x"},
+			containerAnnotations: []string{"x*"},
+			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
+				assert.Equal(t, "", spec.Annotations["c"])
+				assert.Equal(t, "", spec.Annotations["ca-c"])
+			},
+		},
+	} {
+		t.Run(desc, func(t *testing.T) {
+			c := newTestCRIService()
+			containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData()
+			if test.configChange != nil {
+				test.configChange(sandboxConfig)
+			}
+			ociRuntime := config.Runtime{
+				PodAnnotations:       test.podAnnotations,
+				ContainerAnnotations: test.containerAnnotations,
+			}
+			spec, err := c.containerSpec(testID, testSandboxID, testPid, "",
+				containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
+			assert.NoError(t, err)
+			assert.NotNil(t, spec)
+			specCheck(t, testID, testSandboxID, testPid, spec)
+			if test.specCheck != nil {
+				test.specCheck(t, spec)
+			}
+		})
+	}
 }

 func TestContainerSpecReadonlyRootfs(t *testing.T) {