We don't have the alpha limitation anymore, let's just use the kubelet
maxPods instead of our hardcoded 1024 max.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
When we were alocating the whole UID space, the first range was reserved
to the host. Now we don't allocate the whole UID space, but just the
range configured, so the first range doesn't point to [0;65535] anymore,
so no need to test it is always set.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
allow to specify what IDs must be used by the kubelet to create user
namespaces.
If no additional UIDs/GIDs are not allocated to the "kubelet" user,
then the kubelet assumes it can use any ID on the system.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
block the creation of a pod that requires a user namespace, unless the
runtime handler has support for it.
If the pod requested for a user namespace, and the handler does not
support it then return an error regardless of the feature gate.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
For some reason the CI didn't fail when we open the PR. But when you run
"go test" as root, with all the capabilities, tests that exercise
permission errors will never work. As the capabilities makes them always
bypass the permission checks.
For some reason it seems that:
* Not all our CI was run when the PR was open
* The CI was changed to run as root now
* _Some_ CI was added and it runs as root
If it wasn't one of that, or a combination, I don't see how this could
have happened. If any of that indeed happened, it can break more tests
outside the userns package too.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
This adds a test for the just added wrapping error message, as well as
for the other already present error messages that initialization can
fail with.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
These tests will create the userns record mapping file, so let's use a
temporal directory for that.
Without specifying one, by mistake we were using the
"/tmp/non-existant-dir.This-is-not-used-in-tests/" directory.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
To that end, we need to add one kubelet getter listPodsFromDisk(). Other
than that, it is a pretty trivial move.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
