Merge pull request kubernetes#84731 from verb/ec-pid

Add namespace targeting mode to CRI and kubelet

Author: k8s-ci-robot

pkg/kubelet/dockershim/security_context.go

@@ -146,26 +146,25 @@ func modifyHostConfig(sc *runtimeapi.LinuxContainerSecurityContext, hostConfig *
 // modifySandboxNamespaceOptions apply namespace options for sandbox
 func modifySandboxNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, hostConfig *dockercontainer.HostConfig, network *knetwork.PluginManager) {
 	// The sandbox's PID namespace is the one that's shared, so CONTAINER and POD are equivalent for it
-	modifyCommonNamespaceOptions(nsOpts, hostConfig)
+	if nsOpts.GetPid() == runtimeapi.NamespaceMode_NODE {
+		hostConfig.PidMode = namespaceModeHost
+	}
 	modifyHostOptionsForSandbox(nsOpts, network, hostConfig)
 }
 
 // modifyContainerNamespaceOptions apply namespace options for container
 func modifyContainerNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, podSandboxID string, hostConfig *dockercontainer.HostConfig) {
-	if nsOpts.GetPid() == runtimeapi.NamespaceMode_POD {
+	switch nsOpts.GetPid() {
+	case runtimeapi.NamespaceMode_NODE:
+		hostConfig.PidMode = namespaceModeHost
+	case runtimeapi.NamespaceMode_POD:
 		hostConfig.PidMode = dockercontainer.PidMode(fmt.Sprintf("container:%v", podSandboxID))
+	case runtimeapi.NamespaceMode_TARGET:
+		hostConfig.PidMode = dockercontainer.PidMode(fmt.Sprintf("container:%v", nsOpts.GetTargetId()))
 	}
-	modifyCommonNamespaceOptions(nsOpts, hostConfig)
 	modifyHostOptionsForContainer(nsOpts, podSandboxID, hostConfig)
 }
 
-// modifyCommonNamespaceOptions apply common namespace options for sandbox and container
-func modifyCommonNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, hostConfig *dockercontainer.HostConfig) {
-	if nsOpts.GetPid() == runtimeapi.NamespaceMode_NODE {
-		hostConfig.PidMode = namespaceModeHost
-	}
-}
-
 // modifyHostOptionsForSandbox applies NetworkMode/UTSMode to sandbox's dockercontainer.HostConfig.
 func modifyHostOptionsForSandbox(nsOpts *runtimeapi.NamespaceOption, network *knetwork.PluginManager, hc *dockercontainer.HostConfig) {
 	if nsOpts.GetIpc() == runtimeapi.NamespaceMode_NODE {

pkg/kubelet/dockershim/security_context_test.go

@@ -345,6 +345,27 @@ func TestModifySandboxNamespaceOptions(t *testing.T) {
 				NetworkMode: "default",
 			},
 		},
+		{
+			name: "Pod PID NamespaceOption (for sandbox is same as container ns option)",
+			nsOpt: &runtimeapi.NamespaceOption{
+				Pid: runtimeapi.NamespaceMode_POD,
+			},
+			expected: &dockercontainer.HostConfig{
+				PidMode:     "",
+				NetworkMode: "default",
+			},
+		},
+		{
+			name: "Target PID NamespaceOption (invalid for sandbox)",
+			nsOpt: &runtimeapi.NamespaceOption{
+				Pid:      runtimeapi.NamespaceMode_TARGET,
+				TargetId: "same-container",
+			},
+			expected: &dockercontainer.HostConfig{
+				PidMode:     "",
+				NetworkMode: "default",
+			},
+		},
 	}
 	for _, tc := range cases {
 		dockerCfg := &dockercontainer.HostConfig{}
@@ -395,6 +416,29 @@ func TestModifyContainerNamespaceOptions(t *testing.T) {
 				PidMode:     namespaceModeHost,
 			},
 		},
+		{
+			name: "Pod PID NamespaceOption",
+			nsOpt: &runtimeapi.NamespaceOption{
+				Pid: runtimeapi.NamespaceMode_POD,
+			},
+			expected: &dockercontainer.HostConfig{
+				NetworkMode: dockercontainer.NetworkMode(sandboxNSMode),
+				IpcMode:     dockercontainer.IpcMode(sandboxNSMode),
+				PidMode:     dockercontainer.PidMode(sandboxNSMode),
+			},
+		},
+		{
+			name: "Target PID NamespaceOption",
+			nsOpt: &runtimeapi.NamespaceOption{
+				Pid:      runtimeapi.NamespaceMode_TARGET,
+				TargetId: "some-container",
+			},
+			expected: &dockercontainer.HostConfig{
+				NetworkMode: dockercontainer.NetworkMode(sandboxNSMode),
+				IpcMode:     dockercontainer.IpcMode(sandboxNSMode),
+				PidMode:     dockercontainer.PidMode("container:some-container"),
+			},
+		},
 	}
 	for _, tc := range cases {
 		dockerCfg := &dockercontainer.HostConfig{}

pkg/kubelet/kuberuntime/BUILD

@@ -131,6 +131,7 @@ go_test(
         "//staging/src/k8s.io/cri-api/pkg/apis/testing:go_default_library",
         "//vendor/github.com/golang/mock/gomock:go_default_library",
         "//vendor/github.com/google/cadvisor/info/v1:go_default_library",
+        "//vendor/github.com/google/go-cmp/cmp:go_default_library",
         "//vendor/github.com/stretchr/testify/assert:go_default_library",
         "//vendor/github.com/stretchr/testify/require:go_default_library",
         "//vendor/k8s.io/utils/pointer:go_default_library",

pkg/kubelet/kuberuntime/kuberuntime_container.go

@@ -41,7 +41,9 @@ import (
 	kubetypes "k8s.io/apimachinery/pkg/types"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
+	"k8s.io/kubernetes/pkg/features"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	"k8s.io/kubernetes/pkg/kubelet/events"
 	"k8s.io/kubernetes/pkg/kubelet/types"
@@ -86,13 +88,52 @@ func (m *kubeGenericRuntimeManager) recordContainerEvent(pod *v1.Pod, container
 	m.recorder.Event(ref, eventType, reason, eventMessage)
 }
 
+// startSpec wraps the spec required to start a container, either a regular/init container
+// or an ephemeral container. Ephemeral containers contain all the fields of regular/init
+// containers, plus some additional fields. In both cases startSpec.container will be set.
+type startSpec struct {
+	container          *v1.Container
+	ephemeralContainer *v1.EphemeralContainer
+}
+
+func containerStartSpec(c *v1.Container) *startSpec {
+	return &startSpec{container: c}
+}
+
+func ephemeralContainerStartSpec(ec *v1.EphemeralContainer) *startSpec {
+	return &startSpec{
+		container:          (*v1.Container)(&ec.EphemeralContainerCommon),
+		ephemeralContainer: ec,
+	}
+}
+
+// getTargetID returns the kubecontainer.ContainerID for ephemeral container namespace
+// targeting. The target is stored as EphemeralContainer.TargetContainerName, which must be
+// resolved to a ContainerID using podStatus. The target container must already exist, which
+// usually isn't a problem since ephemeral containers aren't allowed at pod creation time.
+// This always returns nil when the EphemeralContainers feature is disabled.
+func (s *startSpec) getTargetID(podStatus *kubecontainer.PodStatus) (*kubecontainer.ContainerID, error) {
+	if s.ephemeralContainer == nil || s.ephemeralContainer.TargetContainerName == "" || !utilfeature.DefaultFeatureGate.Enabled(features.EphemeralContainers) {
+		return nil, nil
+	}
+
+	targetStatus := podStatus.FindContainerStatusByName(s.ephemeralContainer.TargetContainerName)
+	if targetStatus == nil {
+		return nil, fmt.Errorf("unable to find target container %v", s.ephemeralContainer.TargetContainerName)
+	}
+
+	return &targetStatus.ID, nil
+}
+
 // startContainer starts a container and returns a message indicates why it is failed on error.
 // It starts the container through the following steps:
 // * pull the image
 // * create the container
 // * start the container
 // * run the post start lifecycle hooks (if applicable)
-func (m *kubeGenericRuntimeManager) startContainer(podSandboxID string, podSandboxConfig *runtimeapi.PodSandboxConfig, container *v1.Container, pod *v1.Pod, podStatus *kubecontainer.PodStatus, pullSecrets []v1.Secret, podIP string, podIPs []string) (string, error) {
+func (m *kubeGenericRuntimeManager) startContainer(podSandboxID string, podSandboxConfig *runtimeapi.PodSandboxConfig, spec *startSpec, pod *v1.Pod, podStatus *kubecontainer.PodStatus, pullSecrets []v1.Secret, podIP string, podIPs []string) (string, error) {
+	container := spec.container
+
 	// Step 1: pull the image.
 	imageRef, msg, err := m.imagePuller.EnsureImageExists(pod, container, pullSecrets, podSandboxConfig)
 	if err != nil {
@@ -115,7 +156,14 @@ func (m *kubeGenericRuntimeManager) startContainer(podSandboxID string, podSandb
 		restartCount = containerStatus.RestartCount + 1
 	}
 
-	containerConfig, cleanupAction, err := m.generateContainerConfig(container, pod, restartCount, podIP, imageRef, podIPs)
+	target, err := spec.getTargetID(podStatus)
+	if err != nil {
+		s, _ := grpcstatus.FromError(err)
+		m.recordContainerEvent(pod, container, "", v1.EventTypeWarning, events.FailedToCreateContainer, "Error: %v", s.Message())
+		return s.Message(), ErrCreateContainerConfig
+	}
+
+	containerConfig, cleanupAction, err := m.generateContainerConfig(container, pod, restartCount, podIP, imageRef, podIPs, target)
 	if cleanupAction != nil {
 		defer cleanupAction()
 	}
@@ -195,7 +243,7 @@ func (m *kubeGenericRuntimeManager) startContainer(podSandboxID string, podSandb
 }
 
 // generateContainerConfig generates container config for kubelet runtime v1.
-func (m *kubeGenericRuntimeManager) generateContainerConfig(container *v1.Container, pod *v1.Pod, restartCount int, podIP, imageRef string, podIPs []string) (*runtimeapi.ContainerConfig, func(), error) {
+func (m *kubeGenericRuntimeManager) generateContainerConfig(container *v1.Container, pod *v1.Pod, restartCount int, podIP, imageRef string, podIPs []string, nsTarget *kubecontainer.ContainerID) (*runtimeapi.ContainerConfig, func(), error) {
 	opts, cleanupAction, err := m.runtimeHelper.GenerateRunContainerOptions(pod, container, podIP, podIPs)
 	if err != nil {
 		return nil, nil, err
@@ -239,7 +287,7 @@ func (m *kubeGenericRuntimeManager) generateContainerConfig(container *v1.Contai
 	}
 
 	// set platform specific configurations.
-	if err := m.applyPlatformSpecificContainerConfig(config, container, pod, uid, username); err != nil {
+	if err := m.applyPlatformSpecificContainerConfig(config, container, pod, uid, username, nsTarget); err != nil {
 		return nil, cleanupAction, err
 	}
 

pkg/kubelet/kuberuntime/kuberuntime_container_linux.go

@@ -28,22 +28,28 @@ import (
 	"k8s.io/klog"
 	v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
 	kubefeatures "k8s.io/kubernetes/pkg/features"
+	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	"k8s.io/kubernetes/pkg/kubelet/qos"
 )
 
 // applyPlatformSpecificContainerConfig applies platform specific configurations to runtimeapi.ContainerConfig.
-func (m *kubeGenericRuntimeManager) applyPlatformSpecificContainerConfig(config *runtimeapi.ContainerConfig, container *v1.Container, pod *v1.Pod, uid *int64, username string) error {
-	config.Linux = m.generateLinuxContainerConfig(container, pod, uid, username)
+func (m *kubeGenericRuntimeManager) applyPlatformSpecificContainerConfig(config *runtimeapi.ContainerConfig, container *v1.Container, pod *v1.Pod, uid *int64, username string, nsTarget *kubecontainer.ContainerID) error {
+	config.Linux = m.generateLinuxContainerConfig(container, pod, uid, username, nsTarget)
 	return nil
 }
 
 // generateLinuxContainerConfig generates linux container config for kubelet runtime v1.
-func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string) *runtimeapi.LinuxContainerConfig {
+func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string, nsTarget *kubecontainer.ContainerID) *runtimeapi.LinuxContainerConfig {
 	lc := &runtimeapi.LinuxContainerConfig{
 		Resources:       &runtimeapi.LinuxContainerResources{},
 		SecurityContext: m.determineEffectiveSecurityContext(pod, container, uid, username),
 	}
 
+	if nsTarget != nil && lc.SecurityContext.NamespaceOptions.Pid == runtimeapi.NamespaceMode_CONTAINER {
+		lc.SecurityContext.NamespaceOptions.Pid = runtimeapi.NamespaceMode_TARGET
+		lc.SecurityContext.NamespaceOptions.TargetId = nsTarget.ID
+	}
+
 	// set linux container resources
 	var cpuShares int64
 	cpuRequest := container.Resources.Requests.Cpu()

pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go

@@ -22,13 +22,17 @@ import (
 	"reflect"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
 	cgroupfs "github.com/opencontainers/runc/libcontainer/cgroups/fs"
 	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
-
-	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/kubernetes/pkg/features"
+	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 )
 
 func makeExpectedConfig(m *kubeGenericRuntimeManager, pod *v1.Pod, containerIndex int) *runtimeapi.ContainerConfig {
@@ -57,7 +61,7 @@ func makeExpectedConfig(m *kubeGenericRuntimeManager, pod *v1.Pod, containerInde
 		Stdin:       container.Stdin,
 		StdinOnce:   container.StdinOnce,
 		Tty:         container.TTY,
-		Linux:       m.generateLinuxContainerConfig(container, pod, new(int64), ""),
+		Linux:       m.generateLinuxContainerConfig(container, pod, new(int64), "", nil),
 		Envs:        envs,
 	}
 	return expectedConfig
@@ -93,7 +97,7 @@ func TestGenerateContainerConfig(t *testing.T) {
 	}
 
 	expectedConfig := makeExpectedConfig(m, pod, 0)
-	containerConfig, _, err := m.generateContainerConfig(&pod.Spec.Containers[0], pod, 0, "", pod.Spec.Containers[0].Image, []string{})
+	containerConfig, _, err := m.generateContainerConfig(&pod.Spec.Containers[0], pod, 0, "", pod.Spec.Containers[0].Image, []string{}, nil)
 	assert.NoError(t, err)
 	assert.Equal(t, expectedConfig, containerConfig, "generate container config for kubelet runtime v1.")
 	assert.Equal(t, runAsUser, containerConfig.GetLinux().GetSecurityContext().GetRunAsUser().GetValue(), "RunAsUser should be set")
@@ -124,7 +128,7 @@ func TestGenerateContainerConfig(t *testing.T) {
 		},
 	}
 
-	_, _, err = m.generateContainerConfig(&podWithContainerSecurityContext.Spec.Containers[0], podWithContainerSecurityContext, 0, "", podWithContainerSecurityContext.Spec.Containers[0].Image, []string{})
+	_, _, err = m.generateContainerConfig(&podWithContainerSecurityContext.Spec.Containers[0], podWithContainerSecurityContext, 0, "", podWithContainerSecurityContext.Spec.Containers[0].Image, []string{}, nil)
 	assert.Error(t, err)
 
 	imageID, _ := imageService.PullImage(&runtimeapi.ImageSpec{Image: "busybox"}, nil, nil)
@@ -136,7 +140,7 @@ func TestGenerateContainerConfig(t *testing.T) {
 	podWithContainerSecurityContext.Spec.Containers[0].SecurityContext.RunAsUser = nil
 	podWithContainerSecurityContext.Spec.Containers[0].SecurityContext.RunAsNonRoot = &runAsNonRootTrue
 
-	_, _, err = m.generateContainerConfig(&podWithContainerSecurityContext.Spec.Containers[0], podWithContainerSecurityContext, 0, "", podWithContainerSecurityContext.Spec.Containers[0].Image, []string{})
+	_, _, err = m.generateContainerConfig(&podWithContainerSecurityContext.Spec.Containers[0], podWithContainerSecurityContext, 0, "", podWithContainerSecurityContext.Spec.Containers[0].Image, []string{}, nil)
 	assert.Error(t, err, "RunAsNonRoot should fail for non-numeric username")
 }
 
@@ -296,3 +300,70 @@ func TestGetHugepageLimitsFromResources(t *testing.T) {
 		}
 	}
 }
+
+func TestGenerateLinuxContainerConfigNamespaces(t *testing.T) {
+	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.EphemeralContainers, true)()
+	_, _, m, err := createTestRuntimeManager()
+	if err != nil {
+		t.Fatalf("error creating test RuntimeManager: %v", err)
+	}
+
+	for _, tc := range []struct {
+		name   string
+		pod    *v1.Pod
+		target *kubecontainer.ContainerID
+		want   *runtimeapi.NamespaceOption
+	}{
+		{
+			"Default namespaces",
+			&v1.Pod{
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{Name: "test"},
+					},
+				},
+			},
+			nil,
+			&runtimeapi.NamespaceOption{
+				Pid: runtimeapi.NamespaceMode_CONTAINER,
+			},
+		},
+		{
+			"PID Namespace POD",
+			&v1.Pod{
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{Name: "test"},
+					},
+					ShareProcessNamespace: &[]bool{true}[0],
+				},
+			},
+			nil,
+			&runtimeapi.NamespaceOption{
+				Pid: runtimeapi.NamespaceMode_POD,
+			},
+		},
+		{
+			"PID Namespace TARGET",
+			&v1.Pod{
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{Name: "test"},
+					},
+				},
+			},
+			&kubecontainer.ContainerID{Type: "docker", ID: "really-long-id-string"},
+			&runtimeapi.NamespaceOption{
+				Pid:      runtimeapi.NamespaceMode_TARGET,
+				TargetId: "really-long-id-string",
+			},
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			got := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", tc.target)
+			if diff := cmp.Diff(tc.want, got.SecurityContext.NamespaceOptions); diff != "" {
+				t.Errorf("%v: diff (-want +got):\n%v", t.Name(), diff)
+			}
+		})
+	}
+}