* Add `Linux{Sandbox,Container}SecurityContext.SupplementalGroupsPolicy` and `ContainerStatus.user` in cri-api
* Add `PodSecurityContext.SupplementalGroupsPolicy`, `ContainerStatus.User` and its featuregate
* Implement DropDisabledPodFields for PodSecurityContext.SupplementalGroupsPolicy and ContainerStatus.User fields
* Implement kubelet so to wire between SecurityContext.SupplementalGroupsPolicy/ContainerStatus.User and cri-api in kubelet
* Clarify `SupplementalGroupsPolicy` is an OS depdendent field.
* Make `ContainerStatus.User` is initially attached user identity to the first process in the ContainerStatus
It is because, the process identity can be dynamic if the initially attached identity
has enough privilege calling setuid/setgid/setgroups syscalls in Linux.
* Rewording suggestion applied
* Add TODO comment for updating SupplementalGroupsPolicy default value in v1.34
* Added validations for SupplementalGroupsPolicy and ContainerUser
* No need featuregate check in validation when adding new field with no default value
* fix typo: identitiy -> identity
The map is changed to an array so as to retain the order of the original array
propagated from the CRI runtime.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Importing the `k8s.io/kubernetes/pkg/kubelet/metrics` package in the
remote runtime implementation makes it harder to separate the
functionalities at some later point in time. We now decouple both
packages by extending the CRI API services to allow a callback on
`GetContainerEvents`. This callback can be used to do additional work if
the connection got established, because `GetContainerEvents` will go
into blocking mode after that.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
See https://github.com/golang/mock#gomock: golang/mock is no longer
maintained, and should be replaced by go.uber.org/mock.
This allows golang/mock to be dropped from the status and vendored
fields in unwanted-dependencies.json.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
There is a conversion function `ConvertPodStatusToRunningPod`, which
can override the `Container.ImageID` into a digested reference from the
`ContainerStatus` CRI RPC, which gets mapped from the `image_ref`:
411c29c39f/pkg/kubelet/container/helpers.go (L259-L292)
To avoid that failure case, we now introduce the same `image_id` into
the container status and let runtimes separate the fields.
We also add a note that the mapping from the digested reference of the
CRI to the Kubernetes Pod API `ImageID` field is intentional and should
not change.
Follow-up on: https://github.com/kubernetes/kubernetes/pull/123508
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This new field allows fixing the kubelet image garbage collection in
container runtimes. The `image_ref` has been historically used by
container runtimes to reference images by digest.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
block the creation of a pod that requires a user namespace, unless the
runtime handler has support for it.
If the pod requested for a user namespace, and the handler does not
support it then return an error regardless of the feature gate.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit does the following:
1. Add RuntimeClassInImageCriApi feature gate
2. Extend pkg/kubelet/container Image struct
3. Adds runtimeHandler string in the following CRI calls
i. ImageStatus
ii. PullImageRequest
iii. RemoveImage
Signed-off-by: kiashok <kiashok@microsoft.com>
