summaryrefslogtreecommitdiff
path: root/pkg/domain
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2022-05-06 20:35:17 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2022-05-10 16:51:01 +0200
commit0774a4ce131754b282443e85cc77c308123ef9c0 (patch)
treef5c93b3cc9ce18bb91c1cdc90e223973ba4f5d7c /pkg/domain
parent18713f589c1ed9144d873f2656f2067ebf6f3ba2 (diff)
downloadpodman-0774a4ce131754b282443e85cc77c308123ef9c0.tar.gz
podman-0774a4ce131754b282443e85cc77c308123ef9c0.tar.bz2
podman-0774a4ce131754b282443e85cc77c308123ef9c0.zip
kube: add support for --userns=
add support to override the user namespace to use for the pod. Closes: https://github.com/containers/podman/issues/7504 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg/domain')
-rw-r--r--pkg/domain/entities/play.go2
-rw-r--r--pkg/domain/infra/abi/play.go13
-rw-r--r--pkg/domain/infra/tunnel/play.go2
3 files changed, 16 insertions, 1 deletions
diff --git a/pkg/domain/entities/play.go b/pkg/domain/entities/play.go
index c9dc3f08c..bf7c33f2b 100644
--- a/pkg/domain/entities/play.go
+++ b/pkg/domain/entities/play.go
@@ -54,6 +54,8 @@ type PlayKubeOptions struct {
LogOptions []string
// Start - don't start the pod if false
Start types.OptionalBool
+ // Userns - define the user namespace to use.
+ Userns string
}
// PlayKubePod represents a single pod and associated containers created by play kube
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
index f44b46a6d..019361694 100644
--- a/pkg/domain/infra/abi/play.go
+++ b/pkg/domain/infra/abi/play.go
@@ -222,6 +222,16 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
podOpt.Net.NetworkOptions = netOpts
}
+ if options.Userns == "" {
+ options.Userns = "host"
+ }
+
+ // Validate the userns modes supported.
+ podOpt.Userns, err = specgen.ParseUserNamespace(options.Userns)
+ if err != nil {
+ return nil, err
+ }
+
// FIXME This is very hard to support properly with a good ux
if len(options.StaticIPs) > *ipIndex {
if !podOpt.Net.Network.IsBridge() {
@@ -352,6 +362,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
infraImage := util.DefaultContainerConfig().Engine.InfraImage
infraOptions := entities.NewInfraContainerCreateOptions()
infraOptions.Hostname = podSpec.PodSpecGen.PodBasicConfig.Hostname
+ infraOptions.UserNS = options.Userns
podSpec.PodSpecGen.InfraImage = infraImage
podSpec.PodSpecGen.NoInfra = false
podSpec.PodSpecGen.InfraContainerSpec = specgen.NewSpecGenerator(infraImage, false)
@@ -428,6 +439,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
RestartPolicy: ctrRestartPolicy,
SeccompPaths: seccompPaths,
SecretsManager: secretsManager,
+ UserNSIsHost: p.Userns.IsHost(),
Volumes: volumes,
}
specGen, err := kube.ToSpecGen(ctx, &specgenOpts)
@@ -476,6 +488,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
RestartPolicy: ctrRestartPolicy,
SeccompPaths: seccompPaths,
SecretsManager: secretsManager,
+ UserNSIsHost: p.Userns.IsHost(),
Volumes: volumes,
}
specGen, err := kube.ToSpecGen(ctx, &specgenOpts)
diff --git a/pkg/domain/infra/tunnel/play.go b/pkg/domain/infra/tunnel/play.go
index d9637254a..d731a1d6c 100644
--- a/pkg/domain/infra/tunnel/play.go
+++ b/pkg/domain/infra/tunnel/play.go
@@ -20,7 +20,7 @@ func (ic *ContainerEngine) PlayKube(ctx context.Context, body io.Reader, opts en
if opts.Annotations != nil {
options.WithAnnotations(opts.Annotations)
}
- options.WithNoHosts(opts.NoHosts)
+ options.WithNoHosts(opts.NoHosts).WithUserns(opts.Userns)
if s := opts.SkipTLSVerify; s != types.OptionalBoolUndefined {
options.WithSkipTLSVerify(s == types.OptionalBoolTrue)
}