cri/sbserver: Support pods with user namespaces

This patch requests the OCI runtime to create a userns when the CRI message includes such request. This is an adaptation of a7adeb6976 ("cri: Support pods with user namespaces") to sbserver, although the container_create.go parts were already ported as part of 40be96efa9 ("Have separate spec builder for each platform"), Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-07-07 17:28:04 +02:00 · 2023-07-07 17:28:04 +02:00 · fb9ce5d482
commit fb9ce5d482
parent c99cb95f07
1 changed files with 19 additions and 0 deletions
--- a/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go
+++ b/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go
@ -92,6 +92,25 @@ func (c *Controller) sandboxContainerSpec(id string, config *runtime.PodSandboxC
 		specOpts = append(specOpts, customopts.WithoutNamespace(runtimespec.IPCNamespace))
 	}

+	usernsOpts := nsOptions.GetUsernsOptions()
+	uids, gids, err := parseUsernsIDs(usernsOpts)
+	var usernsEnabled bool
+	if err != nil {
+		return nil, fmt.Errorf("user namespace configuration: %w", err)
+	}
+
+	if usernsOpts != nil {
+		switch mode := usernsOpts.GetMode(); mode {
+		case runtime.NamespaceMode_NODE:
+			specOpts = append(specOpts, customopts.WithoutNamespace(runtimespec.UserNamespace))
+		case runtime.NamespaceMode_POD:
+			specOpts = append(specOpts, oci.WithUserNamespace(uids, gids))
+			usernsEnabled = true
+		default:
+			return nil, fmt.Errorf("unsupported user namespace mode: %q", mode)
+		}
+	}
+
 	// It's fine to generate the spec before the sandbox /dev/shm
 	// is actually created.
 	sandboxDevShm := c.getSandboxDevShm(id)