diff options
| author | Giuseppe Scrivano <gscrivan@redhat.com> | 2022-09-08 16:23:37 +0200 |
|---|---|---|
| committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2022-09-08 22:08:50 +0200 |
| commit | ad63aa20db09b3d4b8f9d5312a0022e50c417341 (patch) | |
| tree | aa06c5cba5e0293661bbf4f1fa124b20a35ae47f /pkg | |
| parent | 6d8bafe57a65970ead17a83cb1983629b3a2aedb (diff) | |
| download | podman-ad63aa20db09b3d4b8f9d5312a0022e50c417341.tar.gz podman-ad63aa20db09b3d4b8f9d5312a0022e50c417341.tar.bz2 podman-ad63aa20db09b3d4b8f9d5312a0022e50c417341.zip | |
kube: plug HostUsers in the pod spec
map HostUsers=false to userns=auto.
One difference with the current implementation in the Kubelet is that
the podman default size is 1024 while the Kubelet uses 65536.
This is done on purpose, because 65536 is a problem for rootless as
the entire IDs space would be allocated to a single pod.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/domain/infra/abi/play.go | 5 | ||||
| -rw-r--r-- | pkg/k8s.io/api/core/v1/types.go | 12 |
2 files changed, 17 insertions, 0 deletions
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go index 12786afcd..57d795682 100644 --- a/pkg/domain/infra/abi/play.go +++ b/pkg/domain/infra/abi/play.go @@ -355,6 +355,11 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY if options.Userns == "" { options.Userns = "host" + if podYAML.Spec.HostUsers != nil && !*podYAML.Spec.HostUsers { + options.Userns = "auto" + } + } else if podYAML.Spec.HostUsers != nil { + logrus.Info("overriding the user namespace mode in the pod spec") } // Validate the userns modes supported. diff --git a/pkg/k8s.io/api/core/v1/types.go b/pkg/k8s.io/api/core/v1/types.go index d47178878..6f20cd351 100644 --- a/pkg/k8s.io/api/core/v1/types.go +++ b/pkg/k8s.io/api/core/v1/types.go @@ -1984,6 +1984,18 @@ type PodSpec struct { // Default to false. // +optional SetHostnameAsFQDN *bool `json:"setHostnameAsFQDN,omitempty"` + // Use the host's user namespace. + // Optional: Default to true. + // If set to true or not present, the pod will be run in the host user namespace, useful + // for when the pod needs a feature only available to the host user namespace, such as + // loading a kernel module with CAP_SYS_MODULE. + // When set to false, a new userns is created for the pod. Setting false is useful for + // mitigating container breakout vulnerabilities even allowing users to run their + // containers as root without actually having root privileges on the host. + // This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature. + // +k8s:conversion-gen=false + // +optional + HostUsers *bool `json:"hostUsers,omitempty"` } type UnsatisfiableConstraintAction string |