In the KEP 1710 we promised to have all SELinux metrics with access mode
label, so cluster admin is able to distinguish when RWOP volumes are
failing to mount (-> SELinuxMountReadWriteOncePod feature gate must be
disabled) or volumes with any other access modes are failing (->
SELinuxMount feature gate must be disabled).
Adding the label to kubelet is quite straightforward, there were some
changes needed in the e2e test. Now grabMetrics() collects values of all
SELinux related metrics with all labels. It only skips unrelated volume
plugins. And waitForMetricIncrease gets metric with all labels on input, so
it can check that say RWOP metric increased and RWX one did not.
We don't have the alpha limitation anymore, let's just use the kubelet
maxPods instead of our hardcoded 1024 max.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
When we were alocating the whole UID space, the first range was reserved
to the host. Now we don't allocate the whole UID space, but just the
range configured, so the first range doesn't point to [0;65535] anymore,
so no need to test it is always set.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
allow to specify what IDs must be used by the kubelet to create user
namespaces.
If no additional UIDs/GIDs are not allocated to the "kubelet" user,
then the kubelet assumes it can use any ID on the system.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The return type of ktesting.NewTestContext is now a TContext. Code
which combined it WithCancel often didn't compile anymore (cannot overwrite
ktesting.TContext with context.Context). This is a good thing because all of
that code can be simplified to let ktesting handle the cancelation.
Instead of walking paths ourselves, just let Go's packages library do
it. This is a slight CLI change - it wants "./foo" rather than "foo".
This also flagged a few things which seem to be legit failures.
There is a conversion function `ConvertPodStatusToRunningPod`, which
can override the `Container.ImageID` into a digested reference from the
`ContainerStatus` CRI RPC, which gets mapped from the `image_ref`:
411c29c39f/pkg/kubelet/container/helpers.go (L259-L292)
To avoid that failure case, we now introduce the same `image_id` into
the container status and let runtimes separate the fields.
We also add a note that the mapping from the digested reference of the
CRI to the Kubernetes Pod API `ImageID` field is intentional and should
not change.
Follow-up on: https://github.com/kubernetes/kubernetes/pull/123508
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This new field allows fixing the kubelet image garbage collection in
container runtimes. The `image_ref` has been historically used by
container runtimes to reference images by digest.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
We just added some more functionality, let's make sure it works fine
with the feature gate disabled.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
block the creation of a pod that requires a user namespace, unless the
runtime handler has support for it.
If the pod requested for a user namespace, and the handler does not
support it then return an error regardless of the feature gate.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
