opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-21 17:38:12 +08:00
Code Issues Packages Projects Releases Wiki Activity

Kube like pods should share ipc,net,uts by default

Browse Source 
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
This commit is contained in:
flouthoc
2021-05-08 00:36:45 +05:30
parent 54bed1025d
commit 14a1a4546c
2 changed files with 60 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/specgen/generate/kube/kube.go
View File

@ -23,6 +23,10 @@ func ToPodGen(ctx context.Context, podName string, podYAML *v1.PodTemplateSpec)
p := specgen.NewPodSpecGenerator() p := specgen.NewPodSpecGenerator()
p.Name = podName p.Name = podName
p.Labels = podYAML.ObjectMeta.Labels p.Labels = podYAML.ObjectMeta.Labels
// Kube pods must share {ipc, net, uts} by default
p.SharedNamespaces = append(p.SharedNamespaces, "ipc")
p.SharedNamespaces = append(p.SharedNamespaces, "net")
p.SharedNamespaces = append(p.SharedNamespaces, "uts")
// TODO we only configure Process namespace. We also need to account for Host{IPC,Network,PID} // TODO we only configure Process namespace. We also need to account for Host{IPC,Network,PID}
// which is not currently possible with pod create // which is not currently possible with pod create
if podYAML.Spec.ShareProcessNamespace != nil && *podYAML.Spec.ShareProcessNamespace { if podYAML.Spec.ShareProcessNamespace != nil && *podYAML.Spec.ShareProcessNamespace {

56
test/e2e/play_kube_test.go
View File

@ -28,6 +28,44 @@ metadata:
spec: spec:
hostname: unknown hostname: unknown
` `
var sharedNamespacePodYaml = `
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2021-05-07T17:25:01Z"
labels:
app: testpod1
name: testpod1
spec:
containers:
- command:
- top
- -d
- "1.5"
env:
- name: PATH
value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: TERM
value: xterm
- name: container
value: podman
- name: HOSTNAME
value: label-pod
image: quay.io/libpod/alpine:latest
name: alpine
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities: {}
privileged: false
readOnlyRootFilesystem: false
seLinuxOptions: {}
workingDir: /
dnsConfig: {}
restartPolicy: Never
shareProcessNamespace: true
status: {}
`
var selinuxLabelPodYaml = ` var selinuxLabelPodYaml = `
apiVersion: v1 apiVersion: v1
@ -1004,6 +1042,24 @@ var _ = Describe("Podman play kube", func() {
Expect(label).To(ContainSubstring("unconfined_u:system_r:spc_t:s0")) Expect(label).To(ContainSubstring("unconfined_u:system_r:spc_t:s0"))
}) })
It("podman play kube should share ipc,net,uts when shareProcessNamespace is set", func() {
SkipIfRootless("Requires root priviledges for sharing few namespaces")
err := writeYaml(sharedNamespacePodYaml, kubeYaml)
Expect(err).To(BeNil())
kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0))
inspect := podmanTest.Podman([]string{"inspect", "testpod1", "--format", "'{{ .SharedNamespaces }}'"})
inspect.WaitWithDefaultTimeout()
sharednamespaces := inspect.OutputToString()
Expect(sharednamespaces).To(ContainSubstring("ipc"))
Expect(sharednamespaces).To(ContainSubstring("net"))
Expect(sharednamespaces).To(ContainSubstring("uts"))
Expect(sharednamespaces).To(ContainSubstring("pid"))
})
It("podman play kube fail with nonexistent authfile", func() { It("podman play kube fail with nonexistent authfile", func() {
err := generateKubeYaml("pod", getPod(), kubeYaml) err := generateKubeYaml("pod", getPod(), kubeYaml)
Expect(err).To(BeNil()) Expect(err).To(BeNil())