github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add private mount propagation to API.

Browse Source 
And make it default
This commit is contained in:
Jan Safranek 2018-04-12 13:57:54 +02:00
parent d1b38b21ef
commit 01a44d22cf
6 changed files with 33 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/apis/core/types.go
View File

@ -1540,6 +1540,12 @@ type VolumeMount struct {
type MountPropagationMode string type MountPropagationMode string
const ( const (
// MountPropagationNone means that the volume in a container will
// not receive new mounts from the host or other containers, and filesystems
// mounted inside the container won't be propagated to the host or other
// containers.
// Note that this mode corresponds to "private" in Linux terminology.
MountPropagationNone MountPropagationMode = "None"
// MountPropagationHostToContainer means that the volume in a container will // MountPropagationHostToContainer means that the volume in a container will
// receive new mounts from the host or other containers, but filesystems // receive new mounts from the host or other containers, but filesystems
// mounted inside the container won't be propagated to the host or other // mounted inside the container won't be propagated to the host or other

2
pkg/apis/core/validation/validation.go
View File

@ -1140,7 +1140,7 @@ func validateMountPropagation(mountPropagation *core.MountPropagationMode, conta
return allErrs return allErrs
} }
supportedMountPropagations := sets.NewString(string(core.MountPropagationBidirectional), string(core.MountPropagationHostToContainer)) supportedMountPropagations := sets.NewString(string(core.MountPropagationBidirectional), string(core.MountPropagationHostToContainer), string(core.MountPropagationNone))
if !supportedMountPropagations.Has(string(*mountPropagation)) { if !supportedMountPropagations.Has(string(*mountPropagation)) {
allErrs = append(allErrs, field.NotSupported(fldPath, *mountPropagation, supportedMountPropagations.List())) allErrs = append(allErrs, field.NotSupported(fldPath, *mountPropagation, supportedMountPropagations.List()))
} }

7
pkg/apis/core/validation/validation_test.go
View File

@ -4704,6 +4704,7 @@ func TestValidateMountPropagation(t *testing.T) {
propagationBidirectional := core.MountPropagationBidirectional propagationBidirectional := core.MountPropagationBidirectional
propagationHostToContainer := core.MountPropagationHostToContainer propagationHostToContainer := core.MountPropagationHostToContainer
propagationNone := core.MountPropagationNone
propagationInvalid := core.MountPropagationMode("invalid") propagationInvalid := core.MountPropagationMode("invalid")
tests := []struct { tests := []struct {
@ -4723,6 +4724,12 @@ func TestValidateMountPropagation(t *testing.T) {
defaultContainer, defaultContainer,
false, false,
}, },
{
// non-privileged container + None
core.VolumeMount{Name: "foo", MountPath: "/foo", MountPropagation: &propagationNone},
defaultContainer,
false,
},
{ {
// error: implicitly non-privileged container + Bidirectional // error: implicitly non-privileged container + Bidirectional
core.VolumeMount{Name: "foo", MountPath: "/foo", MountPropagation: &propagationBidirectional}, core.VolumeMount{Name: "foo", MountPath: "/foo", MountPropagation: &propagationBidirectional},

6
pkg/kubelet/kubelet_pods.go
View File

@ -269,12 +269,14 @@ func translateMountPropagation(mountMode *v1.MountPropagationMode) (runtimeapi.M
} }
switch { switch {
case mountMode == nil: case mountMode == nil:
// HostToContainer is the default // PRIVATE is the default
return runtimeapi.MountPropagation_PROPAGATION_HOST_TO_CONTAINER, nil return runtimeapi.MountPropagation_PROPAGATION_PRIVATE, nil
case *mountMode == v1.MountPropagationHostToContainer: case *mountMode == v1.MountPropagationHostToContainer:
return runtimeapi.MountPropagation_PROPAGATION_HOST_TO_CONTAINER, nil return runtimeapi.MountPropagation_PROPAGATION_HOST_TO_CONTAINER, nil
case *mountMode == v1.MountPropagationBidirectional: case *mountMode == v1.MountPropagationBidirectional:
return runtimeapi.MountPropagation_PROPAGATION_BIDIRECTIONAL, nil return runtimeapi.MountPropagation_PROPAGATION_BIDIRECTIONAL, nil
case *mountMode == v1.MountPropagationNone:
return runtimeapi.MountPropagation_PROPAGATION_PRIVATE, nil
default: default:
return 0, fmt.Errorf("invalid MountPropagation mode: %q", mountMode) return 0, fmt.Errorf("invalid MountPropagation mode: %q", mountMode)
} }

16
pkg/kubelet/kubelet_pods_test.go
View File

@ -55,6 +55,7 @@ func TestMakeMounts(t *testing.T) {
bTrue := true bTrue := true
propagationHostToContainer := v1.MountPropagationHostToContainer propagationHostToContainer := v1.MountPropagationHostToContainer
propagationBidirectional := v1.MountPropagationBidirectional propagationBidirectional := v1.MountPropagationBidirectional
propagationNone := v1.MountPropagationNone
testCases := map[string]struct { testCases := map[string]struct {
container v1.Container container v1.Container
@ -79,9 +80,10 @@ func TestMakeMounts(t *testing.T) {
MountPropagation: &propagationHostToContainer, MountPropagation: &propagationHostToContainer,
}, },
{ {
MountPath: "/mnt/path3", MountPath: "/mnt/path3",
Name: "disk", Name: "disk",
ReadOnly: true, ReadOnly: true,
MountPropagation: &propagationNone,
}, },
{ {
MountPath: "/mnt/path4", MountPath: "/mnt/path4",
@ -110,7 +112,7 @@ func TestMakeMounts(t *testing.T) {
HostPath: "/mnt/disk", HostPath: "/mnt/disk",
ReadOnly: true, ReadOnly: true,
SELinuxRelabel: false, SELinuxRelabel: false,
Propagation: runtimeapi.MountPropagation_PROPAGATION_HOST_TO_CONTAINER, Propagation: runtimeapi.MountPropagation_PROPAGATION_PRIVATE,
}, },
{ {
Name: "disk4", Name: "disk4",
@ -118,7 +120,7 @@ func TestMakeMounts(t *testing.T) {
HostPath: "/mnt/host", HostPath: "/mnt/host",
ReadOnly: false, ReadOnly: false,
SELinuxRelabel: false, SELinuxRelabel: false,
Propagation: runtimeapi.MountPropagation_PROPAGATION_HOST_TO_CONTAINER, Propagation: runtimeapi.MountPropagation_PROPAGATION_PRIVATE,
}, },
{ {
Name: "disk5", Name: "disk5",
@ -126,7 +128,7 @@ func TestMakeMounts(t *testing.T) {
HostPath: "/var/lib/kubelet/podID/volumes/empty/disk5", HostPath: "/var/lib/kubelet/podID/volumes/empty/disk5",
ReadOnly: false, ReadOnly: false,
SELinuxRelabel: false, SELinuxRelabel: false,
Propagation: runtimeapi.MountPropagation_PROPAGATION_HOST_TO_CONTAINER, Propagation: runtimeapi.MountPropagation_PROPAGATION_PRIVATE,
}, },
}, },
expectErr: false, expectErr: false,
@ -185,7 +187,7 @@ func TestMakeMounts(t *testing.T) {
HostPath: "/mnt/host", HostPath: "/mnt/host",
ReadOnly: false, ReadOnly: false,
SELinuxRelabel: false, SELinuxRelabel: false,
Propagation: runtimeapi.MountPropagation_PROPAGATION_HOST_TO_CONTAINER, Propagation: runtimeapi.MountPropagation_PROPAGATION_PRIVATE,
}, },
}, },
expectErr: false, expectErr: false,

6
staging/src/k8s.io/api/core/v1/types.go
View File

@ -1624,6 +1624,12 @@ type VolumeMount struct {
type MountPropagationMode string type MountPropagationMode string
const ( const (
// MountPropagationNone means that the volume in a container will
// not receive new mounts from the host or other containers, and filesystems
// mounted inside the container won't be propagated to the host or other
// containers.
// Note that this mode corresponds to "private" in Linux terminology.
MountPropagationNone MountPropagationMode = "None"
// MountPropagationHostToContainer means that the volume in a container will // MountPropagationHostToContainer means that the volume in a container will
// receive new mounts from the host or other containers, but filesystems // receive new mounts from the host or other containers, but filesystems
// mounted inside the container won't be propagated to the host or other // mounted inside the container won't be propagated to the host or other