mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-11-03 19:58:17 +00:00
Merge pull request #87394 from mattjmcnaughton/mattjmcnaughton/delete-sysctl-runtime-admit-handler
Delete the sysctl runtime admit handler
This commit is contained in:
Kubernetes Prow Robot
@@ -850,12 +850,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
|
|||||||
klet.admitHandlers.AddPodAdmitHandler(evictionAdmitHandler)
|
klet.admitHandlers.AddPodAdmitHandler(evictionAdmitHandler)
|
||||||
|
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.Sysctls) {
|
if utilfeature.DefaultFeatureGate.Enabled(features.Sysctls) {
|
||||||
// add sysctl admission
|
|
||||||
runtimeSupport, err := sysctl.NewRuntimeAdmitHandler(klet.containerRuntime)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Safe, whitelisted sysctls can always be used as unsafe sysctls in the spec.
|
// Safe, whitelisted sysctls can always be used as unsafe sysctls in the spec.
|
||||||
// Hence, we concatenate those two lists.
|
// Hence, we concatenate those two lists.
|
||||||
safeAndUnsafeSysctls := append(sysctlwhitelist.SafeSysctlWhitelist(), allowedUnsafeSysctls...)
|
safeAndUnsafeSysctls := append(sysctlwhitelist.SafeSysctlWhitelist(), allowedUnsafeSysctls...)
|
||||||
@@ -863,7 +857,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
klet.admitHandlers.AddPodAdmitHandler(runtimeSupport)
|
|
||||||
klet.admitHandlers.AddPodAdmitHandler(sysctlsWhitelist)
|
klet.admitHandlers.AddPodAdmitHandler(sysctlsWhitelist)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -10,14 +10,12 @@ go_library(
|
|||||||
name = "go_default_library",
|
name = "go_default_library",
|
||||||
srcs = [
|
srcs = [
|
||||||
"namespace.go",
|
"namespace.go",
|
||||||
"runtime.go",
|
|
||||||
"whitelist.go",
|
"whitelist.go",
|
||||||
],
|
],
|
||||||
importpath = "k8s.io/kubernetes/pkg/kubelet/sysctl",
|
importpath = "k8s.io/kubernetes/pkg/kubelet/sysctl",
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core/validation:go_default_library",
|
"//pkg/apis/core/validation:go_default_library",
|
||||||
"//pkg/apis/policy/validation:go_default_library",
|
"//pkg/apis/policy/validation:go_default_library",
|
||||||
"//pkg/kubelet/container:go_default_library",
|
|
||||||
"//pkg/kubelet/lifecycle:go_default_library",
|
"//pkg/kubelet/lifecycle:go_default_library",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -1,95 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2016 The Kubernetes Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package sysctl
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
|
|
||||||
"k8s.io/kubernetes/pkg/kubelet/container"
|
|
||||||
"k8s.io/kubernetes/pkg/kubelet/lifecycle"
|
|
||||||
)
|
|
||||||
|
|
||||||
const (
|
|
||||||
UnsupportedReason = "SysctlUnsupported"
|
|
||||||
// CRI uses semver-compatible API version, while docker does not
|
|
||||||
// (e.g., 1.24). Append the version with a ".0".
|
|
||||||
dockerMinimumAPIVersion = "1.24.0"
|
|
||||||
|
|
||||||
dockerTypeName = "docker"
|
|
||||||
)
|
|
||||||
|
|
||||||
// TODO: The admission logic in this file is runtime-dependent. It should be
|
|
||||||
// changed to be generic and CRI-compatible.
|
|
||||||
|
|
||||||
type runtimeAdmitHandler struct {
|
|
||||||
result lifecycle.PodAdmitResult
|
|
||||||
}
|
|
||||||
|
|
||||||
var _ lifecycle.PodAdmitHandler = &runtimeAdmitHandler{}
|
|
||||||
|
|
||||||
// NewRuntimeAdmitHandler returns a sysctlRuntimeAdmitHandler which checks whether
|
|
||||||
// the given runtime support sysctls.
|
|
||||||
func NewRuntimeAdmitHandler(runtime container.Runtime) (*runtimeAdmitHandler, error) {
|
|
||||||
switch runtime.Type() {
|
|
||||||
case dockerTypeName:
|
|
||||||
v, err := runtime.APIVersion()
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("failed to get runtime version: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// only Docker API version >= 1.24 supports sysctls
|
|
||||||
c, err := v.Compare(dockerMinimumAPIVersion)
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("failed to compare Docker version for sysctl support: %v", err)
|
|
||||||
}
|
|
||||||
if c >= 0 {
|
|
||||||
return &runtimeAdmitHandler{
|
|
||||||
result: lifecycle.PodAdmitResult{
|
|
||||||
Admit: true,
|
|
||||||
},
|
|
||||||
}, nil
|
|
||||||
}
|
|
||||||
return &runtimeAdmitHandler{
|
|
||||||
result: lifecycle.PodAdmitResult{
|
|
||||||
Admit: false,
|
|
||||||
Reason: UnsupportedReason,
|
|
||||||
Message: "Docker API version before 1.24 does not support sysctls",
|
|
||||||
},
|
|
||||||
}, nil
|
|
||||||
default:
|
|
||||||
// Return admit for other runtimes.
|
|
||||||
return &runtimeAdmitHandler{
|
|
||||||
result: lifecycle.PodAdmitResult{
|
|
||||||
Admit: true,
|
|
||||||
},
|
|
||||||
}, nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Admit checks whether the runtime supports sysctls.
|
|
||||||
func (w *runtimeAdmitHandler) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
|
|
||||||
if attrs.Pod.Spec.SecurityContext != nil {
|
|
||||||
|
|
||||||
if len(attrs.Pod.Spec.SecurityContext.Sysctls) > 0 {
|
|
||||||
return w.result
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return lifecycle.PodAdmitResult{
|
|
||||||
Admit: true,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -49,7 +49,6 @@ go_library(
|
|||||||
"//pkg/kubelet/events:go_default_library",
|
"//pkg/kubelet/events:go_default_library",
|
||||||
"//pkg/kubelet/images:go_default_library",
|
"//pkg/kubelet/images:go_default_library",
|
||||||
"//pkg/kubelet/runtimeclass/testing:go_default_library",
|
"//pkg/kubelet/runtimeclass/testing:go_default_library",
|
||||||
"//pkg/kubelet/sysctl:go_default_library",
|
|
||||||
"//staging/src/k8s.io/api/coordination/v1:go_default_library",
|
"//staging/src/k8s.io/api/coordination/v1:go_default_library",
|
||||||
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
|
||||||
|
|||||||
@@ -20,7 +20,6 @@ import (
|
|||||||
"k8s.io/api/core/v1"
|
"k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/uuid"
|
"k8s.io/apimachinery/pkg/util/uuid"
|
||||||
"k8s.io/kubernetes/pkg/kubelet/sysctl"
|
|
||||||
"k8s.io/kubernetes/test/e2e/framework"
|
"k8s.io/kubernetes/test/e2e/framework"
|
||||||
e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
|
e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
|
||||||
e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
|
e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
|
||||||
@@ -86,9 +85,6 @@ var _ = framework.KubeDescribe("Sysctls [LinuxOnly] [NodeFeature:Sysctls]", func
|
|||||||
// might have already been deleted here.
|
// might have already been deleted here.
|
||||||
ev, err := f.PodClient().WaitForErrorEventOrSuccess(pod)
|
ev, err := f.PodClient().WaitForErrorEventOrSuccess(pod)
|
||||||
framework.ExpectNoError(err)
|
framework.ExpectNoError(err)
|
||||||
if ev != nil && ev.Reason == sysctl.UnsupportedReason {
|
|
||||||
e2eskipper.Skipf("No sysctl support in Docker <1.12")
|
|
||||||
}
|
|
||||||
gomega.Expect(ev).To(gomega.BeNil())
|
gomega.Expect(ev).To(gomega.BeNil())
|
||||||
|
|
||||||
ginkgo.By("Waiting for pod completion")
|
ginkgo.By("Waiting for pod completion")
|
||||||
@@ -129,9 +125,6 @@ var _ = framework.KubeDescribe("Sysctls [LinuxOnly] [NodeFeature:Sysctls]", func
|
|||||||
// might have already been deleted here.
|
// might have already been deleted here.
|
||||||
ev, err := f.PodClient().WaitForErrorEventOrSuccess(pod)
|
ev, err := f.PodClient().WaitForErrorEventOrSuccess(pod)
|
||||||
framework.ExpectNoError(err)
|
framework.ExpectNoError(err)
|
||||||
if ev != nil && ev.Reason == sysctl.UnsupportedReason {
|
|
||||||
e2eskipper.Skipf("No sysctl support in Docker <1.12")
|
|
||||||
}
|
|
||||||
gomega.Expect(ev).To(gomega.BeNil())
|
gomega.Expect(ev).To(gomega.BeNil())
|
||||||
|
|
||||||
ginkgo.By("Waiting for pod completion")
|
ginkgo.By("Waiting for pod completion")
|
||||||
@@ -206,9 +199,6 @@ var _ = framework.KubeDescribe("Sysctls [LinuxOnly] [NodeFeature:Sysctls]", func
|
|||||||
// might have already been deleted here.
|
// might have already been deleted here.
|
||||||
ev, err := f.PodClient().WaitForErrorEventOrSuccess(pod)
|
ev, err := f.PodClient().WaitForErrorEventOrSuccess(pod)
|
||||||
framework.ExpectNoError(err)
|
framework.ExpectNoError(err)
|
||||||
if ev != nil && ev.Reason == sysctl.UnsupportedReason {
|
|
||||||
e2eskipper.Skipf("No sysctl support in Docker <1.12")
|
|
||||||
}
|
|
||||||
|
|
||||||
ginkgo.By("Checking that the pod was rejected")
|
ginkgo.By("Checking that the pod was rejected")
|
||||||
gomega.Expect(ev).ToNot(gomega.BeNil())
|
gomega.Expect(ev).ToNot(gomega.BeNil())
|
||||||
|
|||||||
@@ -226,7 +226,7 @@ func (c *PodClient) WaitForErrorEventOrSuccess(pod *v1.Pod) (*v1.Event, error) {
|
|||||||
}
|
}
|
||||||
for _, e := range evnts.Items {
|
for _, e := range evnts.Items {
|
||||||
switch e.Reason {
|
switch e.Reason {
|
||||||
case events.KillingContainer, events.FailedToCreateContainer, sysctl.UnsupportedReason, sysctl.ForbiddenReason:
|
case events.KillingContainer, events.FailedToCreateContainer, sysctl.ForbiddenReason:
|
||||||
ev = &e
|
ev = &e
|
||||||
return true, nil
|
return true, nil
|
||||||
case events.StartedContainer:
|
case events.StartedContainer:
|
||||||
|
|||||||
@@ -41,7 +41,6 @@ go_library(
|
|||||||
"//test/e2e/framework/node:go_default_library",
|
"//test/e2e/framework/node:go_default_library",
|
||||||
"//test/e2e/framework/security:go_default_library",
|
"//test/e2e/framework/security:go_default_library",
|
||||||
"//test/e2e/framework/service:go_default_library",
|
"//test/e2e/framework/service:go_default_library",
|
||||||
"//test/e2e/framework/skipper:go_default_library",
|
|
||||||
"//test/e2e/framework/statefulset:go_default_library",
|
"//test/e2e/framework/statefulset:go_default_library",
|
||||||
"//test/e2e/framework/testfiles:go_default_library",
|
"//test/e2e/framework/testfiles:go_default_library",
|
||||||
"//test/e2e/scheduling:go_default_library",
|
"//test/e2e/scheduling:go_default_library",
|
||||||
|
|||||||
@@ -28,7 +28,6 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/kubelet/sysctl"
|
"k8s.io/kubernetes/pkg/kubelet/sysctl"
|
||||||
|
|
||||||
"k8s.io/kubernetes/test/e2e/framework"
|
"k8s.io/kubernetes/test/e2e/framework"
|
||||||
e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
|
|
||||||
imageutils "k8s.io/kubernetes/test/utils/image"
|
imageutils "k8s.io/kubernetes/test/utils/image"
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -85,11 +84,8 @@ func (t *SysctlUpgradeTest) verifySafeSysctlWork(f *framework.Framework) *v1.Pod
|
|||||||
validPod := f.PodClient().Create(t.validPod)
|
validPod := f.PodClient().Create(t.validPod)
|
||||||
|
|
||||||
ginkgo.By("Making sure the valid pod launches")
|
ginkgo.By("Making sure the valid pod launches")
|
||||||
ev, err := f.PodClient().WaitForErrorEventOrSuccess(t.validPod)
|
_, err := f.PodClient().WaitForErrorEventOrSuccess(t.validPod)
|
||||||
framework.ExpectNoError(err)
|
framework.ExpectNoError(err)
|
||||||
if ev != nil && ev.Reason == sysctl.UnsupportedReason {
|
|
||||||
e2eskipper.Skipf("No sysctl support in Docker <1.12")
|
|
||||||
}
|
|
||||||
f.TestContainerOutput("pod with safe sysctl launched", t.validPod, 0, []string{fmt.Sprintf("%s = %s", safeSysctl, safeSysctlValue)})
|
f.TestContainerOutput("pod with safe sysctl launched", t.validPod, 0, []string{fmt.Sprintf("%s = %s", safeSysctl, safeSysctlValue)})
|
||||||
|
|
||||||
return validPod
|
return validPod
|
||||||
@@ -105,9 +101,6 @@ func (t *SysctlUpgradeTest) verifyUnsafeSysctlsAreRejected(f *framework.Framewor
|
|||||||
ginkgo.By("Making sure the invalid pod failed")
|
ginkgo.By("Making sure the invalid pod failed")
|
||||||
ev, err := f.PodClient().WaitForErrorEventOrSuccess(invalidPod)
|
ev, err := f.PodClient().WaitForErrorEventOrSuccess(invalidPod)
|
||||||
framework.ExpectNoError(err)
|
framework.ExpectNoError(err)
|
||||||
if ev != nil && ev.Reason == sysctl.UnsupportedReason {
|
|
||||||
e2eskipper.Skipf("No sysctl support in Docker <1.12")
|
|
||||||
}
|
|
||||||
framework.ExpectEqual(ev.Reason, sysctl.ForbiddenReason)
|
framework.ExpectEqual(ev.Reason, sysctl.ForbiddenReason)
|
||||||
|
|
||||||
return invalidPod
|
return invalidPod
|
||||||
|
|||||||
Reference in New Issue
Block a user