github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #123272 from AkihiroSuda/rro-cri

Browse Source 
cri-api: KEP-3857: Recursive Read-only (RRO) mounts [Split from #123180 for ease of review]
This commit is contained in:
Kubernetes Prow Robot
2024-02-16 11:09:46 -08:00
committed by GitHub
parent 0e8ef9c353 a834bd84b5
commit e43003195d
3 changed files with 1045 additions and 469 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1476
staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.pb.go
View File

File diff suppressed because it is too large Load Diff

27
staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto
View File

@@ -235,6 +235,15 @@ message Mount {
repeated IDMapping uidMappings = 6; repeated IDMapping uidMappings = 6;
// GidMappings specifies the runtime GID mappings for the mount. // GidMappings specifies the runtime GID mappings for the mount.
repeated IDMapping gidMappings = 7; repeated IDMapping gidMappings = 7;
// If set to true, the mount is made recursive read-only.
// In this CRI API, recursive_read_only is a plain true/false boolean, although its equivalent
// in the Kubernetes core API is a quaternary that can be nil, "Enabled", "IfPossible", or "Disabled".
// kubelet translates that quaternary value in the core API into a boolean in this CRI API.
// Remarks:
// - nil is just treated as false
// - when set to true, readonly must be explicitly set to true, and propagation must be PRIVATE (0).
// - (readonly == false && recursive_read_only == false) does not make the mount read-only.
bool recursive_read_only = 8;
} }
// IDMapping describes host to container ID mappings for a pod sandbox. // IDMapping describes host to container ID mappings for a pod sandbox.
@@ -1528,6 +1537,22 @@ message StatusRequest {
bool verbose = 1; bool verbose = 1;
} }
message RuntimeHandlerFeatures {
// recursive_read_only_mounts is set to true if the runtime handler supports
// recursive read-only mounts.
// For runc-compatible runtimes, availability of this feature can be detected by checking whether
// the Linux kernel version is >= 5.12, and, `runc features | jq .mountOptions` contains "rro".
bool recursive_read_only_mounts = 1;
}
message RuntimeHandler {
// Name must be unique in StatusResponse.
// An empty string denotes the default handler.
string name = 1;
// Supported features.
RuntimeHandlerFeatures features = 2;
}
message StatusResponse { message StatusResponse {
// Status of the Runtime. // Status of the Runtime.
RuntimeStatus status = 1; RuntimeStatus status = 1;
@@ -1536,6 +1561,8 @@ message StatusResponse {
// debug, e.g. plugins used by the container runtime. // debug, e.g. plugins used by the container runtime.
// It should only be returned non-empty when Verbose is true. // It should only be returned non-empty when Verbose is true.
map<string, string> info = 2; map<string, string> info = 2;
// Runtime handlers.
repeated RuntimeHandler runtime_handlers = 3;
} }
message ImageFsInfoRequest {} message ImageFsInfoRequest {}

3
staging/src/k8s.io/cri-api/pkg/errors/errors.go
View File

@@ -29,6 +29,9 @@ var (
// ErrSignatureValidationFailed - Unable to validate the image signature on the PullImage RPC call. // ErrSignatureValidationFailed - Unable to validate the image signature on the PullImage RPC call.
ErrSignatureValidationFailed = errors.New("SignatureValidationFailed") ErrSignatureValidationFailed = errors.New("SignatureValidationFailed")
// ErrRROUnsupported - Unable to enforce recursive readonly mounts
ErrRROUnsupported = errors.New("RROUnsupported")
) )
// IsNotFound returns a boolean indicating whether the error // IsNotFound returns a boolean indicating whether the error