diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2022-05-06 20:35:17 +0200 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2022-05-10 16:51:01 +0200 |
commit | 0774a4ce131754b282443e85cc77c308123ef9c0 (patch) | |
tree | f5c93b3cc9ce18bb91c1cdc90e223973ba4f5d7c /pkg/domain | |
parent | 18713f589c1ed9144d873f2656f2067ebf6f3ba2 (diff) | |
download | podman-0774a4ce131754b282443e85cc77c308123ef9c0.tar.gz podman-0774a4ce131754b282443e85cc77c308123ef9c0.tar.bz2 podman-0774a4ce131754b282443e85cc77c308123ef9c0.zip |
kube: add support for --userns=
add support to override the user namespace to use for the pod.
Closes: https://github.com/containers/podman/issues/7504
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg/domain')
-rw-r--r-- | pkg/domain/entities/play.go | 2 | ||||
-rw-r--r-- | pkg/domain/infra/abi/play.go | 13 | ||||
-rw-r--r-- | pkg/domain/infra/tunnel/play.go | 2 |
3 files changed, 16 insertions, 1 deletions
diff --git a/pkg/domain/entities/play.go b/pkg/domain/entities/play.go index c9dc3f08c..bf7c33f2b 100644 --- a/pkg/domain/entities/play.go +++ b/pkg/domain/entities/play.go @@ -54,6 +54,8 @@ type PlayKubeOptions struct { LogOptions []string // Start - don't start the pod if false Start types.OptionalBool + // Userns - define the user namespace to use. + Userns string } // PlayKubePod represents a single pod and associated containers created by play kube diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go index f44b46a6d..019361694 100644 --- a/pkg/domain/infra/abi/play.go +++ b/pkg/domain/infra/abi/play.go @@ -222,6 +222,16 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY podOpt.Net.NetworkOptions = netOpts } + if options.Userns == "" { + options.Userns = "host" + } + + // Validate the userns modes supported. + podOpt.Userns, err = specgen.ParseUserNamespace(options.Userns) + if err != nil { + return nil, err + } + // FIXME This is very hard to support properly with a good ux if len(options.StaticIPs) > *ipIndex { if !podOpt.Net.Network.IsBridge() { @@ -352,6 +362,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY infraImage := util.DefaultContainerConfig().Engine.InfraImage infraOptions := entities.NewInfraContainerCreateOptions() infraOptions.Hostname = podSpec.PodSpecGen.PodBasicConfig.Hostname + infraOptions.UserNS = options.Userns podSpec.PodSpecGen.InfraImage = infraImage podSpec.PodSpecGen.NoInfra = false podSpec.PodSpecGen.InfraContainerSpec = specgen.NewSpecGenerator(infraImage, false) @@ -428,6 +439,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY RestartPolicy: ctrRestartPolicy, SeccompPaths: seccompPaths, SecretsManager: secretsManager, + UserNSIsHost: p.Userns.IsHost(), Volumes: volumes, } specGen, err := kube.ToSpecGen(ctx, &specgenOpts) @@ -476,6 +488,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY RestartPolicy: ctrRestartPolicy, SeccompPaths: seccompPaths, SecretsManager: secretsManager, + UserNSIsHost: p.Userns.IsHost(), Volumes: volumes, } specGen, err := kube.ToSpecGen(ctx, &specgenOpts) diff --git a/pkg/domain/infra/tunnel/play.go b/pkg/domain/infra/tunnel/play.go index d9637254a..d731a1d6c 100644 --- a/pkg/domain/infra/tunnel/play.go +++ b/pkg/domain/infra/tunnel/play.go @@ -20,7 +20,7 @@ func (ic *ContainerEngine) PlayKube(ctx context.Context, body io.Reader, opts en if opts.Annotations != nil { options.WithAnnotations(opts.Annotations) } - options.WithNoHosts(opts.NoHosts) + options.WithNoHosts(opts.NoHosts).WithUserns(opts.Userns) if s := opts.SkipTLSVerify; s != types.OptionalBoolUndefined { options.WithSkipTLSVerify(s == types.OptionalBoolTrue) } |