Merge pull request #9787 from AkihiroSuda/cri-rro-kep-3857

KEP-3857: Recursive Read-only (RRO) mounts
2024-02-21 18:52:43 +00:00
parent b8654e36f4 9077d13728
commit 8ce402c24c
16 changed files with 1292 additions and 503 deletions
--- a/vendor/k8s.io/cri-api/pkg/apis/runtime/v1/api.pb.go
+++ b/vendor/k8s.io/cri-api/pkg/apis/runtime/v1/api.pb.go
--- a/vendor/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto
+++ b/vendor/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto
@@ -235,6 +235,15 @@ message Mount {
    repeated IDMapping uidMappings = 6;
    // GidMappings specifies the runtime GID mappings for the mount.
    repeated IDMapping gidMappings = 7;
+    // If set to true, the mount is made recursive read-only.
+    // In this CRI API, recursive_read_only is a plain true/false boolean, although its equivalent
+    // in the Kubernetes core API is a quaternary that can be nil, "Enabled", "IfPossible", or "Disabled".
+    // kubelet translates that quaternary value in the core API into a boolean in this CRI API.
+    // Remarks:
+    // - nil is just treated as false
+    // - when set to true, readonly must be explicitly set to true, and propagation must be PRIVATE (0).
+    // - (readonly == false && recursive_read_only == false) does not make the mount read-only.
+    bool recursive_read_only = 8;
 }

 // IDMapping describes host to container ID mappings for a pod sandbox.
@@ -1528,6 +1537,22 @@ message StatusRequest {
    bool verbose = 1;
 }

+message RuntimeHandlerFeatures {
+    // recursive_read_only_mounts is set to true if the runtime handler supports
+    // recursive read-only mounts.
+    // For runc-compatible runtimes, availability of this feature can be detected by checking whether
+    // the Linux kernel version is >= 5.12, and,  `runc features | jq .mountOptions` contains "rro".
+    bool recursive_read_only_mounts = 1;
+}
+
+message RuntimeHandler {
+    // Name must be unique in StatusResponse.
+    // An empty string denotes the default handler.
+    string name = 1;
+    // Supported features.
+    RuntimeHandlerFeatures features = 2;
+}
+
 message StatusResponse {
    // Status of the Runtime.
    RuntimeStatus status = 1;
@@ -1536,6 +1561,8 @@ message StatusResponse {
    // debug, e.g. plugins used by the container runtime.
    // It should only be returned non-empty when Verbose is true.
    map<string, string> info = 2;
+    // Runtime handlers.
+    repeated RuntimeHandler runtime_handlers = 3;
 }

 message ImageFsInfoRequest {}
--- a/vendor/k8s.io/cri-api/pkg/errors/doc.go
+++ b/vendor/k8s.io/cri-api/pkg/errors/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package errors provides helper functions for use by the kubelet
+// to deal with CRI errors.
+package errors // import "k8s.io/cri-api/pkg/errors"
--- a/vendor/k8s.io/cri-api/pkg/errors/errors.go
+++ b/vendor/k8s.io/cri-api/pkg/errors/errors.go
@@ -0,0 +1,51 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package errors
+
+import (
+	"errors"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+var (
+	// ErrRegistryUnavailable - Get http error on the PullImage RPC call.
+	ErrRegistryUnavailable = errors.New("RegistryUnavailable")
+
+	// ErrSignatureValidationFailed - Unable to validate the image signature on the PullImage RPC call.
+	ErrSignatureValidationFailed = errors.New("SignatureValidationFailed")
+
+	// ErrRROUnsupported - Unable to enforce recursive readonly mounts
+	ErrRROUnsupported = errors.New("RROUnsupported")
+)
+
+// IsNotFound returns a boolean indicating whether the error
+// is grpc not found error.
+// See https://github.com/grpc/grpc/blob/master/doc/statuscodes.md
+// for a list of grpc status codes.
+func IsNotFound(err error) bool {
+	s, ok := status.FromError(err)
+	if !ok {
+		return ok
+	}
+	if s.Code() == codes.NotFound {
+		return true
+	}
+
+	return false
+}
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -746,9 +746,10 @@ k8s.io/client-go/util/workqueue
 # k8s.io/component-base v0.29.1
 ## explicit; go 1.21
 k8s.io/component-base/logs/logreduction
-# k8s.io/cri-api v0.29.1
+# k8s.io/cri-api v0.30.0-alpha.2.0.20240216190946-4e003cc3b0a4
 ## explicit; go 1.21
 k8s.io/cri-api/pkg/apis/runtime/v1
+k8s.io/cri-api/pkg/errors
 # k8s.io/klog/v2 v2.110.1
 ## explicit; go 1.13
 k8s.io/klog/v2