summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/source/markdown/podman-generate-kube.1.md6
-rw-r--r--libpod/kube.go11
-rw-r--r--libpod/network/netavark/run.go8
-rw-r--r--pkg/domain/infra/abi/generate.go8
-rw-r--r--pkg/specgenutil/util.go1
-rw-r--r--test/e2e/generate_kube_test.go1
6 files changed, 34 insertions, 1 deletions
diff --git a/docs/source/markdown/podman-generate-kube.1.md b/docs/source/markdown/podman-generate-kube.1.md
index 41545455e..3586341a9 100644
--- a/docs/source/markdown/podman-generate-kube.1.md
+++ b/docs/source/markdown/podman-generate-kube.1.md
@@ -19,6 +19,12 @@ Potential name conflicts between volumes are avoided by using a standard naming
Note that if an init container is created with type `once` and the pod has been started, the init container will not show up in the generated kube YAML as `once` type init containers are deleted after they are run. If the pod has only been created and not started, it will be in the generated kube YAML.
Init containers created with type `always` will always be generated in the kube YAML as they are never deleted, even after running to completion.
+*Note*: When using volumes and generating a Kubernetes YAML for an unprivileged and rootless podman container on an **SELinux enabled system**, one of the following options must be completed:
+ * Add the "privileged: true" option to the pod spec
+ * Add `type: spc_t` under the `securityContext` `seLinuxOptions` in the pod spec
+ * Relabel the volume via the CLI command `chcon -t container_file_t context -R <directory>`
+Once completed, the correct permissions will be in place to access the volume when the pod/container is created in a Kubernetes cluster.
+
Note that the generated Kubernetes YAML file can be used to re-run the deployment via podman-play-kube(1).
## OPTIONS
diff --git a/libpod/kube.go b/libpod/kube.go
index 850f2493c..351c49c9a 100644
--- a/libpod/kube.go
+++ b/libpod/kube.go
@@ -427,7 +427,9 @@ func simplePodWithV1Containers(ctx context.Context, ctrs []*Container) (*v1.Pod,
hostNetwork := true
podDNS := v1.PodDNSConfig{}
kubeAnnotations := make(map[string]string)
+ ctrNames := make([]string, 0, len(ctrs))
for _, ctr := range ctrs {
+ ctrNames = append(ctrNames, strings.ReplaceAll(ctr.Name(), "_", ""))
// Convert auto-update labels into kube annotations
for k, v := range getAutoUpdateAnnotations(removeUnderscores(ctr.Name()), ctr.Labels()) {
kubeAnnotations[k] = v
@@ -484,8 +486,15 @@ func simplePodWithV1Containers(ctx context.Context, ctrs []*Container) (*v1.Pod,
}
} // end if ctrDNS
}
+ podName := strings.ReplaceAll(ctrs[0].Name(), "_", "")
+ // Check if the pod name and container name will end up conflicting
+ // Append _pod if so
+ if util.StringInSlice(podName, ctrNames) {
+ podName = podName + "_pod"
+ }
+
return newPodObject(
- strings.ReplaceAll(ctrs[0].Name(), "_", ""),
+ podName,
kubeAnnotations,
kubeInitCtrs,
kubeCtrs,
diff --git a/libpod/network/netavark/run.go b/libpod/network/netavark/run.go
index 54917a981..0ac20daee 100644
--- a/libpod/network/netavark/run.go
+++ b/libpod/network/netavark/run.go
@@ -55,7 +55,15 @@ func (n *netavarkNetwork) Setup(namespacePath string, options types.SetupOptions
result := map[string]types.StatusBlock{}
err = n.execNetavark([]string{"setup", namespacePath}, netavarkOpts, &result)
+ if err != nil {
+ // lets dealloc ips to prevent leaking
+ if err := n.deallocIPs(&options.NetworkOptions); err != nil {
+ logrus.Error(err)
+ }
+ return nil, err
+ }
+ // make sure that the result makes sense
if len(result) != len(options.Networks) {
logrus.Errorf("unexpected netavark result: %v", result)
return nil, fmt.Errorf("unexpected netavark result length, want (%d), got (%d) networks", len(options.Networks), len(result))
diff --git a/pkg/domain/infra/abi/generate.go b/pkg/domain/infra/abi/generate.go
index a4d6bcf86..0defa1923 100644
--- a/pkg/domain/infra/abi/generate.go
+++ b/pkg/domain/infra/abi/generate.go
@@ -124,6 +124,14 @@ func (ic *ContainerEngine) GenerateKube(ctx context.Context, nameOrIDs []string,
if err != nil {
return nil, err
}
+ if len(po.Spec.Volumes) != 0 {
+ warning := `
+# NOTE: If you generated this yaml from an unprivileged and rootless podman container on an SELinux
+# enabled system, check the podman generate kube man page for steps to follow to ensure that your pod/container
+# has the right permissions to access the volumes added.
+`
+ content = append(content, []byte(warning))
+ }
b, err := generateKubeYAML(libpod.ConvertV1PodToYAMLPod(po))
if err != nil {
return nil, err
diff --git a/pkg/specgenutil/util.go b/pkg/specgenutil/util.go
index 534374e71..6b564c60e 100644
--- a/pkg/specgenutil/util.go
+++ b/pkg/specgenutil/util.go
@@ -295,6 +295,7 @@ func CreateExitCommandArgs(storageConfig storageTypes.StoreOptions, config *conf
"--cgroup-manager", config.Engine.CgroupManager,
"--tmpdir", config.Engine.TmpDir,
"--cni-config-dir", config.Network.NetworkConfigDir,
+ "--network-backend", config.Network.NetworkBackend,
}
if config.Engine.OCIRuntime != "" {
command = append(command, []string{"--runtime", config.Engine.OCIRuntime}...)
diff --git a/test/e2e/generate_kube_test.go b/test/e2e/generate_kube_test.go
index cd382eba9..d95555068 100644
--- a/test/e2e/generate_kube_test.go
+++ b/test/e2e/generate_kube_test.go
@@ -71,6 +71,7 @@ var _ = Describe("Podman generate kube", func() {
Expect(pod.Spec.DNSConfig).To(BeNil())
Expect(pod.Spec.Containers[0].WorkingDir).To(Equal(""))
Expect(pod.Spec.Containers[0].Env).To(BeNil())
+ Expect(pod.Name).To(Equal("top_pod"))
numContainers := 0
for range pod.Spec.Containers {