Merge pull request #72698 from rajathagasthya/podsharepsnamespace-72651
Move PodShareProcessNamespace feature gate out of validation
This commit is contained in:
Kubernetes Prow Robot
@@ -293,6 +293,12 @@ func dropDisabledFields(
|
||||
}
|
||||
}
|
||||
|
||||
if !utilfeature.DefaultFeatureGate.Enabled(features.PodShareProcessNamespace) && !shareProcessNamespaceInUse(oldPodSpec) {
|
||||
if podSpec.SecurityContext != nil {
|
||||
podSpec.SecurityContext.ShareProcessNamespace = nil
|
||||
}
|
||||
}
|
||||
|
||||
if !utilfeature.DefaultFeatureGate.Enabled(features.PodPriority) && !podPriorityInUse(oldPodSpec) {
|
||||
// Set to nil pod's priority fields if the feature is disabled and the old pod
|
||||
// does not specify any values for these fields.
|
||||
@@ -458,6 +464,16 @@ func appArmorInUse(podAnnotations map[string]string) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
func shareProcessNamespaceInUse(podSpec *api.PodSpec) bool {
|
||||
if podSpec == nil {
|
||||
return false
|
||||
}
|
||||
if podSpec.SecurityContext != nil && podSpec.SecurityContext.ShareProcessNamespace != nil {
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// podPriorityInUse returns true if the pod spec is non-nil and has Priority or PriorityClassName set.
|
||||
func podPriorityInUse(podSpec *api.PodSpec) bool {
|
||||
if podSpec == nil {
|
||||
|
||||
@@ -914,6 +914,106 @@ func TestDropEmptyDirSizeLimit(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestDropPodShareProcessNamespace(t *testing.T) {
|
||||
podWithShareProcessNamespace := func() *api.Pod {
|
||||
return &api.Pod{
|
||||
Spec: api.PodSpec{
|
||||
SecurityContext: &api.PodSecurityContext{
|
||||
ShareProcessNamespace: &[]bool{true}[0],
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
podWithoutShareProcessNamespace := func() *api.Pod {
|
||||
return &api.Pod{
|
||||
Spec: api.PodSpec{
|
||||
SecurityContext: &api.PodSecurityContext{},
|
||||
},
|
||||
}
|
||||
}
|
||||
podWithoutSecurityContext := func() *api.Pod {
|
||||
return &api.Pod{
|
||||
Spec: api.PodSpec{},
|
||||
}
|
||||
}
|
||||
|
||||
podInfo := []struct {
|
||||
description string
|
||||
hasShareProcessNamespace bool
|
||||
pod func() *api.Pod
|
||||
}{
|
||||
{
|
||||
description: "has ShareProcessNamespace",
|
||||
hasShareProcessNamespace: true,
|
||||
pod: podWithShareProcessNamespace,
|
||||
},
|
||||
{
|
||||
description: "does not have ShareProcessNamespace",
|
||||
hasShareProcessNamespace: false,
|
||||
pod: podWithoutShareProcessNamespace,
|
||||
},
|
||||
{
|
||||
description: "does not have SecurityContext",
|
||||
hasShareProcessNamespace: false,
|
||||
pod: podWithoutSecurityContext,
|
||||
},
|
||||
{
|
||||
description: "is nil",
|
||||
hasShareProcessNamespace: false,
|
||||
pod: func() *api.Pod { return nil },
|
||||
},
|
||||
}
|
||||
|
||||
for _, enabled := range []bool{true, false} {
|
||||
for _, oldPodInfo := range podInfo {
|
||||
for _, newPodInfo := range podInfo {
|
||||
oldPodHasShareProcessNamespace, oldPod := oldPodInfo.hasShareProcessNamespace, oldPodInfo.pod()
|
||||
newPodHasShareProcessNamespace, newPod := newPodInfo.hasShareProcessNamespace, newPodInfo.pod()
|
||||
if newPod == nil {
|
||||
continue
|
||||
}
|
||||
|
||||
t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
|
||||
defer utilfeaturetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodShareProcessNamespace, enabled)()
|
||||
|
||||
var oldPodSpec *api.PodSpec
|
||||
if oldPod != nil {
|
||||
oldPodSpec = &oldPod.Spec
|
||||
}
|
||||
dropDisabledFields(&newPod.Spec, nil, oldPodSpec, nil)
|
||||
|
||||
// old pod should never be changed
|
||||
if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
|
||||
t.Errorf("old pod changed: %v", diff.ObjectReflectDiff(oldPod, oldPodInfo.pod()))
|
||||
}
|
||||
|
||||
switch {
|
||||
case enabled || oldPodHasShareProcessNamespace:
|
||||
// new pod should not be changed if the feature is enabled, or if the old pod had ShareProcessNamespace set
|
||||
if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
|
||||
t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
|
||||
}
|
||||
case newPodHasShareProcessNamespace:
|
||||
// new pod should be changed
|
||||
if reflect.DeepEqual(newPod, newPodInfo.pod()) {
|
||||
t.Errorf("new pod was not changed")
|
||||
}
|
||||
// new pod should not have ShareProcessNamespace
|
||||
if !reflect.DeepEqual(newPod, podWithoutShareProcessNamespace()) {
|
||||
t.Errorf("new pod had ShareProcessNamespace: %v", diff.ObjectReflectDiff(newPod, podWithoutShareProcessNamespace()))
|
||||
}
|
||||
default:
|
||||
// new pod should not need to be changed
|
||||
if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
|
||||
t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestDropAppArmor(t *testing.T) {
|
||||
podWithAppArmor := func() *api.Pod {
|
||||
return &api.Pod{
|
||||
|
||||
Reference in New Issue
Block a user