cri: Vendor v0.27.0-beta.0 for mounts uid/gid mappings

We will use this in future commits to see if the kubelet requested idmap mounts for volumes, that we don't yet support. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-04-11 17:31:02 +02:00
parent c5a43b0007
commit 85afda6f52
9 changed files with 978 additions and 544 deletions
--- a/vendor/github.com/golang/protobuf/jsonpb/decode.go
+++ b/vendor/github.com/golang/protobuf/jsonpb/decode.go
@@ -386,8 +386,14 @@ func (u *Unmarshaler) unmarshalMessage(m protoreflect.Message, in []byte) error
 }

 func isSingularWellKnownValue(fd protoreflect.FieldDescriptor) bool {
+	if fd.Cardinality() == protoreflect.Repeated {
+		return false
+	}
 	if md := fd.Message(); md != nil {
-		return md.FullName() == "google.protobuf.Value" && fd.Cardinality() != protoreflect.Repeated
+		return md.FullName() == "google.protobuf.Value"
+	}
+	if ed := fd.Enum(); ed != nil {
+		return ed.FullName() == "google.protobuf.NullValue"
 	}
 	return false
 }
--- a/vendor/golang.org/x/text/unicode/norm/forminfo.go
+++ b/vendor/golang.org/x/text/unicode/norm/forminfo.go
@@ -13,7 +13,7 @@ import "encoding/binary"
 // a rune to a uint16. The values take two forms.  For v >= 0x8000:
 //   bits
 //   15:    1 (inverse of NFD_QC bit of qcInfo)
-//   13..7: qcInfo (see below). isYesD is always true (no decompostion).
+//   13..7: qcInfo (see below). isYesD is always true (no decomposition).
 //    6..0: ccc (compressed CCC value).
 // For v < 0x8000, the respective rune has a decomposition and v is an index
 // into a byte array of UTF-8 decomposition sequences and additional info and
--- a/vendor/k8s.io/cri-api/pkg/apis/runtime/v1/api.pb.go
+++ b/vendor/k8s.io/cri-api/pkg/apis/runtime/v1/api.pb.go
--- a/vendor/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto
+++ b/vendor/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-// To regenerate api.pb.go run hack/update-generated-runtime.sh
+// To regenerate api.pb.go run `hack/update-codegen.sh protobindings`
 syntax = "proto3";

 package runtime.v1;
@@ -222,6 +222,10 @@ message Mount {
    bool selinux_relabel = 4;
    // Requested propagation mode.
    MountPropagation propagation = 5;
+    // UidMappings specifies the runtime UID mappings for the mount.
+    repeated IDMapping uidMappings = 6;
+    // GidMappings specifies the runtime GID mappings for the mount.
+    repeated IDMapping gidMappings = 7;
 }

 // IDMapping describes host to container ID mappings for a pod sandbox.
@@ -324,10 +328,10 @@ message LinuxSandboxSecurityContext {
    // If set, the root filesystem of the sandbox is read-only.
    bool readonly_rootfs = 4;
    // List of groups applied to the first process run in the sandbox, in
-    // addition to the sandbox's primary GID, and group memberships defined 
+    // addition to the sandbox's primary GID, and group memberships defined
    // in the container image for the sandbox's primary UID of the container process.
    // If the list is empty, no additional groups are added to any container.
-    // Note that group memberships defined in the container image for the sandbox's primary UID 
+    // Note that group memberships defined in the container image for the sandbox's primary UID
    // of the container process are still effective, even if they are not included in this list.
    repeated int64 supplemental_groups = 5;
    // Indicates whether the sandbox will be asked to run a privileged
@@ -420,7 +424,7 @@ message PodSandboxConfig {
    // containers. For example, the files might be newline separated JSON
    // structured logs, systemd-journald journal files, gRPC trace files, etc.
    // E.g.,
-    //     PodSandboxConfig.LogDirectory = `/var/log/pods/<podUID>/`
+    //     PodSandboxConfig.LogDirectory = `/var/log/pods/<NAMESPACE>_<NAME>_<UID>/`
    //     ContainerConfig.LogPath = `containerName/Instance#.log`
    string log_directory = 3;
    // DNS config for the sandbox.
@@ -877,10 +881,10 @@ message LinuxContainerSecurityContext {
    // If set, the root filesystem of the container is read-only.
    bool readonly_rootfs = 7;
    // List of groups applied to the first process run in the container, in
-    // addition to the container's primary GID, and group memberships defined 
+    // addition to the container's primary GID, and group memberships defined
    // in the container image for the container's primary UID of the container process.
    // If the list is empty, no additional groups are added to any container.
-    // Note that group memberships defined in the container image for the container's primary UID 
+    // Note that group memberships defined in the container image for the container's primary UID
    // of the container process are still effective, even if they are not included in this list.
    repeated int64 supplemental_groups = 8;
    // no_new_privs defines if the flag for no_new_privs should be set on the
@@ -1017,6 +1021,15 @@ message Device {
    string permissions = 3;
 }

+// CDIDevice specifies a CDI device information.
+message CDIDevice {
+    // Fully qualified CDI device name
+    // for example: vendor.com/gpu=gpudevice1
+    // see more details in the CDI specification:
+    // https://github.com/container-orchestrated-devices/container-device-interface/blob/main/SPEC.md
+    string name = 1;
+}
+
 // ContainerConfig holds all the required and optional fields for creating a
 // container.
 message ContainerConfig {
@@ -1060,13 +1073,8 @@ message ContainerConfig {
    // Path relative to PodSandboxConfig.LogDirectory for container to store
    // the log (STDOUT and STDERR) on the host.
    // E.g.,
-    //     PodSandboxConfig.LogDirectory = `/var/log/pods/<podUID>/`
+    //     PodSandboxConfig.LogDirectory = `/var/log/pods/<NAMESPACE>_<NAME>_<UID>/`
    //     ContainerConfig.LogPath = `containerName/Instance#.log`
-    //
-    // WARNING: Log management and how kubelet should interface with the
-    // container logs are under active discussion in
-    // https://issues.k8s.io/24677. There *may* be future change of direction
-    // for logging as the discussion carries on.
    string log_path = 11;

    // Variables for interactive containers, these have very specialized
@@ -1079,6 +1087,9 @@ message ContainerConfig {
    LinuxContainerConfig linux = 15;
    // Configuration specific to Windows containers.
    WindowsContainerConfig windows = 16;
+
+    // CDI devices for the container.
+    repeated CDIDevice CDI_devices = 17;
 }

 message CreateContainerRequest {
@@ -1216,6 +1227,7 @@ message ContainerStatus {
    // image ID
    string image_ref = 9;
    // Brief CamelCase string explaining why container is in its current state.
+    // Must be set to "OOMKilled" for containers terminated by cgroup-based Out-of-Memory killer.
    string reason = 10;
    // Human-readable message indicating details about why container is in its
    // current state.
@@ -1279,8 +1291,16 @@ message ExecSyncRequest {

 message ExecSyncResponse {
    // Captured command stdout output.
+	// The runtime should cap the output of this response to 16MB.
+	// If the stdout of the command produces more than 16MB, the remaining output
+	// should be discarded, and the command should proceed with no error.
+	// See CVE-2022-1708 and CVE-2022-31030 for more information.
    bytes stdout = 1;
    // Captured command stderr output.
+	// The runtime should cap the output of this response to 16MB.
+	// If the stderr of the command produces more than 16MB, the remaining output
+	// should be discarded, and the command should proceed with no error.
+	// See CVE-2022-1708 and CVE-2022-31030 for more information.
    bytes stderr = 2;
    // Exit code the command finished with. Default: 0 (success).
    int32 exit_code = 3;
@@ -1609,7 +1629,7 @@ message ContainerStats {
    FilesystemUsage writable_layer = 4;
 }

-// WindowsContainerStats provides the resource usage statistics for a container specific for Windows 
+// WindowsContainerStats provides the resource usage statistics for a container specific for Windows
 message WindowsContainerStats {
    // Information of the container.
    ContainerAttributes attributes = 1;
@@ -1745,7 +1765,7 @@ message MetricDescriptor {
    repeated string label_keys = 3;
 }

-message ListPodSandboxMetricsRequest {} 
+message ListPodSandboxMetricsRequest {}

 message ListPodSandboxMetricsResponse {
    repeated PodSandboxMetrics pod_metrics = 1;
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -228,7 +228,7 @@ github.com/gogo/protobuf/types
 # github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
 ## explicit
 github.com/golang/groupcache/lru
-# github.com/golang/protobuf v1.5.2
+# github.com/golang/protobuf v1.5.3
 ## explicit; go 1.9
 github.com/golang/protobuf/jsonpb
 github.com/golang/protobuf/proto
@@ -500,7 +500,7 @@ golang.org/x/crypto/pbkdf2
 # golang.org/x/mod v0.8.0
 ## explicit; go 1.17
 golang.org/x/mod/semver
-# golang.org/x/net v0.7.0
+# golang.org/x/net v0.8.0
 ## explicit; go 1.17
 golang.org/x/net/context
 golang.org/x/net/context/ctxhttp
@@ -533,10 +533,10 @@ golang.org/x/sys/windows/registry
 golang.org/x/sys/windows/svc
 golang.org/x/sys/windows/svc/debug
 golang.org/x/sys/windows/svc/mgr
-# golang.org/x/term v0.5.0
+# golang.org/x/term v0.6.0
 ## explicit; go 1.17
 golang.org/x/term
-# golang.org/x/text v0.7.0
+# golang.org/x/text v0.8.0
 ## explicit; go 1.17
 golang.org/x/text/secure/bidirule
 golang.org/x/text/transform
@@ -777,8 +777,8 @@ k8s.io/component-base/metrics/legacyregistry
 k8s.io/component-base/metrics/prometheus/feature
 k8s.io/component-base/metrics/prometheusextension
 k8s.io/component-base/version
-# k8s.io/cri-api v0.26.2
-## explicit; go 1.19
+# k8s.io/cri-api v0.27.0-beta.0
+## explicit; go 1.20
 k8s.io/cri-api/pkg/apis/runtime/v1
 # k8s.io/klog/v2 v2.90.1
 ## explicit; go 1.13