Add namespace mode targeting to dockershim

verb · verb · commit d05bcf6800e1 · 2020-01-30T15:31:43.000+01:00
diff --git a/pkg/kubelet/dockershim/security_context.go b/pkg/kubelet/dockershim/security_context.go
@@ -146,26 +146,25 @@ func modifyHostConfig(sc *runtimeapi.LinuxContainerSecurityContext, hostConfig *
 // modifySandboxNamespaceOptions apply namespace options for sandbox
 func modifySandboxNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, hostConfig *dockercontainer.HostConfig, network *knetwork.PluginManager) {
 	// The sandbox's PID namespace is the one that's shared, so CONTAINER and POD are equivalent for it
-	modifyCommonNamespaceOptions(nsOpts, hostConfig)
+	if nsOpts.GetPid() == runtimeapi.NamespaceMode_NODE {
+		hostConfig.PidMode = namespaceModeHost
+	}
 	modifyHostOptionsForSandbox(nsOpts, network, hostConfig)
 }
 
 // modifyContainerNamespaceOptions apply namespace options for container
 func modifyContainerNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, podSandboxID string, hostConfig *dockercontainer.HostConfig) {
-	if nsOpts.GetPid() == runtimeapi.NamespaceMode_POD {
+	switch nsOpts.GetPid() {
+	case runtimeapi.NamespaceMode_NODE:
+		hostConfig.PidMode = namespaceModeHost
+	case runtimeapi.NamespaceMode_POD:
 		hostConfig.PidMode = dockercontainer.PidMode(fmt.Sprintf("container:%v", podSandboxID))
+	case runtimeapi.NamespaceMode_TARGET:
+		hostConfig.PidMode = dockercontainer.PidMode(fmt.Sprintf("container:%v", nsOpts.GetTargetId()))
 	}
-	modifyCommonNamespaceOptions(nsOpts, hostConfig)
 	modifyHostOptionsForContainer(nsOpts, podSandboxID, hostConfig)
 }
 
-// modifyCommonNamespaceOptions apply common namespace options for sandbox and container
-func modifyCommonNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, hostConfig *dockercontainer.HostConfig) {
-	if nsOpts.GetPid() == runtimeapi.NamespaceMode_NODE {
-		hostConfig.PidMode = namespaceModeHost
-	}
-}
-
 // modifyHostOptionsForSandbox applies NetworkMode/UTSMode to sandbox's dockercontainer.HostConfig.
 func modifyHostOptionsForSandbox(nsOpts *runtimeapi.NamespaceOption, network *knetwork.PluginManager, hc *dockercontainer.HostConfig) {
 	if nsOpts.GetIpc() == runtimeapi.NamespaceMode_NODE {
diff --git a/pkg/kubelet/dockershim/security_context_test.go b/pkg/kubelet/dockershim/security_context_test.go
@@ -345,6 +345,27 @@ func TestModifySandboxNamespaceOptions(t *testing.T) {
 				NetworkMode: "default",
 			},
 		},
+		{
+			name: "Pod PID NamespaceOption (for sandbox is same as container ns option)",
+			nsOpt: &runtimeapi.NamespaceOption{
+				Pid: runtimeapi.NamespaceMode_POD,
+			},
+			expected: &dockercontainer.HostConfig{
+				PidMode:     "",
+				NetworkMode: "default",
+			},
+		},
+		{
+			name: "Target PID NamespaceOption (invalid for sandbox)",
+			nsOpt: &runtimeapi.NamespaceOption{
+				Pid:      runtimeapi.NamespaceMode_TARGET,
+				TargetId: "same-container",
+			},
+			expected: &dockercontainer.HostConfig{
+				PidMode:     "",
+				NetworkMode: "default",
+			},
+		},
 	}
 	for _, tc := range cases {
 		dockerCfg := &dockercontainer.HostConfig{}
@@ -395,6 +416,29 @@ func TestModifyContainerNamespaceOptions(t *testing.T) {
 				PidMode:     namespaceModeHost,
 			},
 		},
+		{
+			name: "Pod PID NamespaceOption",
+			nsOpt: &runtimeapi.NamespaceOption{
+				Pid: runtimeapi.NamespaceMode_POD,
+			},
+			expected: &dockercontainer.HostConfig{
+				NetworkMode: dockercontainer.NetworkMode(sandboxNSMode),
+				IpcMode:     dockercontainer.IpcMode(sandboxNSMode),
+				PidMode:     dockercontainer.PidMode(sandboxNSMode),
+			},
+		},
+		{
+			name: "Target PID NamespaceOption",
+			nsOpt: &runtimeapi.NamespaceOption{
+				Pid:      runtimeapi.NamespaceMode_TARGET,
+				TargetId: "some-container",
+			},
+			expected: &dockercontainer.HostConfig{
+				NetworkMode: dockercontainer.NetworkMode(sandboxNSMode),
+				IpcMode:     dockercontainer.IpcMode(sandboxNSMode),
+				PidMode:     dockercontainer.PidMode("container:some-container"),
+			},
+		},
 	}
 	for _, tc := range cases {
 		dockerCfg := &dockercontainer.HostConfig{}
