diff options
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/api/server/register_containers.go | 7 | ||||
| -rw-r--r-- | pkg/domain/entities/engine.go | 1 | ||||
| -rw-r--r-- | pkg/domain/infra/abi/play.go | 5 | ||||
| -rw-r--r-- | pkg/k8s.io/api/core/v1/types.go | 12 | ||||
| -rw-r--r-- | pkg/specgen/generate/validate.go | 16 |
5 files changed, 34 insertions, 7 deletions
diff --git a/pkg/api/server/register_containers.go b/pkg/api/server/register_containers.go index 7e9c02816..311eecd17 100644 --- a/pkg/api/server/register_containers.go +++ b/pkg/api/server/register_containers.go @@ -897,7 +897,7 @@ func (s *APIServer) registerContainersHandlers(r *mux.Router) error { // - in: query // name: signal // type: string - // default: TERM + // default: SIGKILL // description: signal to be sent to container, either by integer or SIG_ name // produces: // - application/json @@ -1291,11 +1291,6 @@ func (s *APIServer) registerContainersHandlers(r *mux.Router) error { // required: true // description: the name or ID of the container // - in: query - // name: all - // type: boolean - // default: false - // description: Stop all containers - // - in: query // name: timeout // type: integer // default: 10 diff --git a/pkg/domain/entities/engine.go b/pkg/domain/entities/engine.go index c1a4ffdf3..a69cf5111 100644 --- a/pkg/domain/entities/engine.go +++ b/pkg/domain/entities/engine.go @@ -33,6 +33,7 @@ type PodmanConfig struct { *config.Config *pflag.FlagSet + DockerConfig string // Used for Docker compatibility CgroupUsage string // rootless code determines Usage message ConmonPath string // --conmon flag will set Engine.ConmonPath CPUProfile string // Hidden: Should CPU profile be taken diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go index 12786afcd..57d795682 100644 --- a/pkg/domain/infra/abi/play.go +++ b/pkg/domain/infra/abi/play.go @@ -355,6 +355,11 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY if options.Userns == "" { options.Userns = "host" + if podYAML.Spec.HostUsers != nil && !*podYAML.Spec.HostUsers { + options.Userns = "auto" + } + } else if podYAML.Spec.HostUsers != nil { + logrus.Info("overriding the user namespace mode in the pod spec") } // Validate the userns modes supported. diff --git a/pkg/k8s.io/api/core/v1/types.go b/pkg/k8s.io/api/core/v1/types.go index d47178878..6f20cd351 100644 --- a/pkg/k8s.io/api/core/v1/types.go +++ b/pkg/k8s.io/api/core/v1/types.go @@ -1984,6 +1984,18 @@ type PodSpec struct { // Default to false. // +optional SetHostnameAsFQDN *bool `json:"setHostnameAsFQDN,omitempty"` + // Use the host's user namespace. + // Optional: Default to true. + // If set to true or not present, the pod will be run in the host user namespace, useful + // for when the pod needs a feature only available to the host user namespace, such as + // loading a kernel module with CAP_SYS_MODULE. + // When set to false, a new userns is created for the pod. Setting false is useful for + // mitigating container breakout vulnerabilities even allowing users to run their + // containers as root without actually having root privileges on the host. + // This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature. + // +k8s:conversion-gen=false + // +optional + HostUsers *bool `json:"hostUsers,omitempty"` } type UnsatisfiableConstraintAction string diff --git a/pkg/specgen/generate/validate.go b/pkg/specgen/generate/validate.go index 3c5d5fb96..e9ebdfce3 100644 --- a/pkg/specgen/generate/validate.go +++ b/pkg/specgen/generate/validate.go @@ -82,7 +82,7 @@ func verifyContainerResourcesCgroupV1(s *specgen.SpecGenerator) ([]string, error } } - // CPU Checks + // CPU checks if s.ResourceLimits.CPU != nil { cpu := s.ResourceLimits.CPU if cpu.Shares != nil && !sysInfo.CPUShares { @@ -169,6 +169,7 @@ func verifyContainerResourcesCgroupV2(s *specgen.SpecGenerator) ([]string, error return warnings, nil } + // Memory checks if s.ResourceLimits.Memory != nil && s.ResourceLimits.Memory.Swap != nil { own, err := utils.GetOwnCgroup() if err != nil { @@ -198,6 +199,19 @@ func verifyContainerResourcesCgroupV2(s *specgen.SpecGenerator) ([]string, error s.ResourceLimits.Memory.Swap = nil } } + + // CPU checks + if s.ResourceLimits.CPU != nil { + cpu := s.ResourceLimits.CPU + if cpu.RealtimePeriod != nil { + warnings = append(warnings, "Realtime period not supported on cgroups V2 systems") + cpu.RealtimePeriod = nil + } + if cpu.RealtimeRuntime != nil { + warnings = append(warnings, "Realtime runtime not supported on cgroups V2 systems") + cpu.RealtimeRuntime = nil + } + } return warnings, nil } |