Merge pull request containerd#9836 from kinvolk/rata/userns-runtimeHandler

Add support for userns (k8s >= 1.30)

Author: fuweid

go.mod

@@ -74,7 +74,7 @@ require (
 	k8s.io/apimachinery v0.29.2
 	k8s.io/client-go v0.29.2
 	k8s.io/component-base v0.29.2
-	k8s.io/cri-api v0.30.0-alpha.2.0.20240216190946-4e003cc3b0a4
+	k8s.io/cri-api v0.30.0-alpha.2.0.20240217224521-840a52e4cd66
 	k8s.io/klog/v2 v2.120.1
 	k8s.io/kubelet v0.29.2
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b

go.sum

@@ -799,8 +799,8 @@ k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg=
 k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA=
 k8s.io/component-base v0.29.2 h1:lpiLyuvPA9yV1aQwGLENYyK7n/8t6l3nn3zAtFTJYe8=
 k8s.io/component-base v0.29.2/go.mod h1:BfB3SLrefbZXiBfbM+2H1dlat21Uewg/5qtKOl8degM=
-k8s.io/cri-api v0.30.0-alpha.2.0.20240216190946-4e003cc3b0a4 h1:MkxF8QPcofA/nw9k03EQcMkCdP2RcyDZeF1Zda9m/3w=
-k8s.io/cri-api v0.30.0-alpha.2.0.20240216190946-4e003cc3b0a4/go.mod h1:9fQTFm+wi4FLyqrkVUoMJiUB3mE74XrVvHz8uFY/sSw=
+k8s.io/cri-api v0.30.0-alpha.2.0.20240217224521-840a52e4cd66 h1:N5xMegEabSkJia7wOv7md8SQ6dQtgwEX+7gq7R8a4wM=
+k8s.io/cri-api v0.30.0-alpha.2.0.20240217224521-840a52e4cd66/go.mod h1:9fQTFm+wi4FLyqrkVUoMJiUB3mE74XrVvHz8uFY/sSw=
 k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
 k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=

internal/cri/server/service.go

@@ -381,6 +381,9 @@ func (c *criService) introspectRuntimeHandlers(ctx context.Context) ([]*runtime.
 					log.G(ctx).Debugf("runtime %q supports recursive read-only mounts, but the kernel does not", name)
 				}
 			}
+			userns := supportsCRIUserns(rawFeatures)
+			h.Features.UserNamespaces = userns
+			log.G(ctx).Debugf("runtime %q supports CRI userns: %v", name, userns)
 		}
 		res = append(res, &h)
 		if name == c.config.DefaultRuntimeName {
@@ -438,3 +441,20 @@ func introspectRuntimeFeatures(ctx context.Context, intro introspection.Service,
 	}
 	return features, nil
 }
+
+func supportsCRIUserns(f *features.Features) bool {
+	if f == nil {
+		return false
+	}
+	userns := slices.Contains(f.Linux.Namespaces, "user")
+
+	var idmap bool
+	if m := f.Linux.MountExtensions; m != nil && m.IDMap != nil && m.IDMap.Enabled != nil {
+		if *m.IDMap.Enabled {
+			idmap = true
+		}
+	}
+
+	// user namespace support in CRI requires userns and idmap support.
+	return userns && idmap
+}