Now if a pod tries to use user namespaces (hostUsers: false) and a
volume device, it will see this error:
$ kubectl apply -f pod.yaml
...
* spec.ephemeralContainers[0].volumeDevices: Forbidden: when `pod.Spec.HostUsers` is false
* spec.initContainers[0].volumeDevices: Forbidden: when `pod.Spec.HostUsers` is false
* spec.containers[0].volumeDevices: Forbidden: when `pod.Spec.HostUsers` is false
Note that if a pod is already created with volumeDevices and userns,
then we allow modifications to that object.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
* Add FileKeyRef field and struct to the Pod API
* Add the implementation code in the kubelet.
* Add validation code
* Add basic functionality e2e tests
* add codes for drop disabled pod fields
* update go.mod
Before, containers with the PostStart sleep lifecycle hook would cause
null pointer panics due to a typo in the field name being checked. This
commit fixes that.
The check also needs to be done on the oldPodSpec, rather than the
podSpec, so that existing workloads which use the zero value continue
functioning in the same way.
1. The effective container requests cannot be greater than pod-level requests
2. Inidividual container limits cannot be greater than pod-level limits
3. Only CPU & Memory are supported at pod-level
4. Inplace container resources updates are not supported if pod-level resources are set
Note: effective container requests cannot be greater than pod-level limits is supported by transitivity. Effective container requests <= pod-level requests && pod-level requests <= pod-level limits; Therefore effective container requests <= pod-level limits
Signed-off-by: ndixita <ndixita@google.com>
1. Add Resources struct to PodSpec struct in both external and internal API packages
2. Adding feature gate and logic for dropping disabled fields for Pod Level Resources
KEP: enhancements/keps/sig-node/2837-pod-level-resource-spec
Added tests, info about new feature gate in error message, fixes from review
Added basic e2e test
Added unit tests
Ran hack/update-featuregates.sh
Tolerate updates to existing resources after disabling feature gate
Added feature gate to versioned_kube_features.go
Fixed existing tests
Use PodValidationOptions for validation instead of using feature gate directly
Relaxed validation for allowing zero in prestop hook sleep action
* KEP-4427 : AllowRelaxedDNSSearchValidation
* Add e2e test with feature gate to test KEP-4427 RelaxedDNSSearchValidation
* Add more validatePodDNSConfig test cases
Also update Regex to match the case we want.
Thanks Tim and Antonio!
Adding the required Kubernetes API so that the kubelet can start using
it. This patch also adds the corresponding alpha feature gate as
outlined in KEP 4639.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
* Add `Linux{Sandbox,Container}SecurityContext.SupplementalGroupsPolicy` and `ContainerStatus.user` in cri-api
* Add `PodSecurityContext.SupplementalGroupsPolicy`, `ContainerStatus.User` and its featuregate
* Implement DropDisabledPodFields for PodSecurityContext.SupplementalGroupsPolicy and ContainerStatus.User fields
* Implement kubelet so to wire between SecurityContext.SupplementalGroupsPolicy/ContainerStatus.User and cri-api in kubelet
* Clarify `SupplementalGroupsPolicy` is an OS depdendent field.
* Make `ContainerStatus.User` is initially attached user identity to the first process in the ContainerStatus
It is because, the process identity can be dynamic if the initially attached identity
has enough privilege calling setuid/setgid/setgroups syscalls in Linux.
* Rewording suggestion applied
* Add TODO comment for updating SupplementalGroupsPolicy default value in v1.34
* Added validations for SupplementalGroupsPolicy and ContainerUser
* No need featuregate check in validation when adding new field with no default value
* fix typo: identitiy -> identity
