From 7e6ab84884f3ea52ee9f59699967d5578f957261 Mon Sep 17 00:00:00 2001
From: Rodrigo Campos <rodrigoca@microsoft.com>
Date: Mon, 23 Jan 2023 18:35:28 +0100
Subject: [PATCH] cri: Throw an error if idmap mounts is requested

We need support in containerd and the OCI runtime to use idmap mounts.
Let's just throw an error for now if the kubelet requests some mounts
with mappings.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
---
 pkg/cri/opts/spec_linux_opts.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkg/cri/opts/spec_linux_opts.go b/pkg/cri/opts/spec_linux_opts.go
index 942f66f4a..354977f32 100644
--- a/pkg/cri/opts/spec_linux_opts.go
+++ b/pkg/cri/opts/spec_linux_opts.go
@@ -163,6 +163,10 @@ func WithMounts(osi osinterface.OS, config *runtime.ContainerConfig, extra []*ru
 					return fmt.Errorf("relabel %q with %q failed: %w", src, mountLabel, err)
 				}
 			}
+			if mount.UidMappings != nil || mount.GidMappings != nil {
+				return fmt.Errorf("idmap mounts not yet supported, but they were requested for: %q", src)
+			}
+
 			s.Mounts = append(s.Mounts, runtimespec.Mount{
 				Source:      src,
 				Destination: dst,