summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2021-05-10 09:12:54 -0400
committerGitHub <noreply@github.com>2021-05-10 09:12:54 -0400
commit195895eb7e1924b7dcf049ca5067f35795f74595 (patch)
tree911bfd82a077d6afd179c61ae4c1601a82081497
parent9e0aa474a97b59c8540b5c9316fe98220d713d06 (diff)
parent14a1a4546c9d3adc28ad082e97be893e41b29ce2 (diff)
downloadpodman-195895eb7e1924b7dcf049ca5067f35795f74595.tar.gz
podman-195895eb7e1924b7dcf049ca5067f35795f74595.tar.bz2
podman-195895eb7e1924b7dcf049ca5067f35795f74595.zip
Merge pull request #10268 from flouthoc/kube-default-shared-namespace
Kube like pods should share ipc,net,uts by default
-rw-r--r--pkg/specgen/generate/kube/kube.go4
-rw-r--r--test/e2e/play_kube_test.go56
2 files changed, 60 insertions, 0 deletions
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index ccce3edba..4e41061a5 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -23,6 +23,10 @@ func ToPodGen(ctx context.Context, podName string, podYAML *v1.PodTemplateSpec)
p := specgen.NewPodSpecGenerator()
p.Name = podName
p.Labels = podYAML.ObjectMeta.Labels
+ // Kube pods must share {ipc, net, uts} by default
+ p.SharedNamespaces = append(p.SharedNamespaces, "ipc")
+ p.SharedNamespaces = append(p.SharedNamespaces, "net")
+ p.SharedNamespaces = append(p.SharedNamespaces, "uts")
// TODO we only configure Process namespace. We also need to account for Host{IPC,Network,PID}
// which is not currently possible with pod create
if podYAML.Spec.ShareProcessNamespace != nil && *podYAML.Spec.ShareProcessNamespace {
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index 3908d4075..e0af27f7a 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -28,6 +28,44 @@ metadata:
spec:
hostname: unknown
`
+var sharedNamespacePodYaml = `
+apiVersion: v1
+kind: Pod
+metadata:
+ creationTimestamp: "2021-05-07T17:25:01Z"
+ labels:
+ app: testpod1
+ name: testpod1
+spec:
+ containers:
+ - command:
+ - top
+ - -d
+ - "1.5"
+ env:
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ - name: TERM
+ value: xterm
+ - name: container
+ value: podman
+ - name: HOSTNAME
+ value: label-pod
+ image: quay.io/libpod/alpine:latest
+ name: alpine
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: true
+ capabilities: {}
+ privileged: false
+ readOnlyRootFilesystem: false
+ seLinuxOptions: {}
+ workingDir: /
+ dnsConfig: {}
+ restartPolicy: Never
+ shareProcessNamespace: true
+status: {}
+`
var selinuxLabelPodYaml = `
apiVersion: v1
@@ -1004,6 +1042,24 @@ var _ = Describe("Podman play kube", func() {
Expect(label).To(ContainSubstring("unconfined_u:system_r:spc_t:s0"))
})
+ It("podman play kube should share ipc,net,uts when shareProcessNamespace is set", func() {
+ SkipIfRootless("Requires root priviledges for sharing few namespaces")
+ err := writeYaml(sharedNamespacePodYaml, kubeYaml)
+ Expect(err).To(BeNil())
+
+ kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).To(Equal(0))
+
+ inspect := podmanTest.Podman([]string{"inspect", "testpod1", "--format", "'{{ .SharedNamespaces }}'"})
+ inspect.WaitWithDefaultTimeout()
+ sharednamespaces := inspect.OutputToString()
+ Expect(sharednamespaces).To(ContainSubstring("ipc"))
+ Expect(sharednamespaces).To(ContainSubstring("net"))
+ Expect(sharednamespaces).To(ContainSubstring("uts"))
+ Expect(sharednamespaces).To(ContainSubstring("pid"))
+ })
+
It("podman play kube fail with nonexistent authfile", func() {
err := generateKubeYaml("pod", getPod(), kubeYaml)
Expect(err).To(BeNil())