cri: add annotations for pod name and namespace

alban · alban · commit 28e4fb25f402 · 2021-01-26T12:10:39.000+01:00
cri-o has annotations for pod name, namespace and container name: https://github.com/containers/podman/blob/master/pkg/annotations/annotations.go But so far containerd had only the container name. This patch will be useful for seccomp agents to have a different behaviour depending on the pod (see runtime-spec PR 1074 and runc PR 2682). This should simplify the code in: https://github.com/kinvolk/seccompagent/blob/b2d423695d6dfc976d2456769acb19765a9d7524/pkg/kuberesolver/kuberesolver.go#L16-L27 Signed-off-by: Alban Crequy <alban@kinvolk.io>
diff --git a/pkg/cri/annotations/annotations.go b/pkg/cri/annotations/annotations.go
@@ -45,6 +45,12 @@ const (
 	// workload can only run on dedicated runtime for untrusted workload.
 	UntrustedWorkload = "io.kubernetes.cri.untrusted-workload"
 
-	// containerName is the name of the container in the pod
+	// SandboxNamespace is the name of the namespace of the sandbox (pod)
+	SandboxNamespace = "io.kubernetes.cri.sandbox-namespace"
+
+	// SandboxName is the name of the sandbox (pod)
+	SandboxName = "io.kubernetes.cri.sandbox-name"
+
+	// ContainerName is the name of the container in the pod
 	ContainerName = "io.kubernetes.cri.container-name"
 )
diff --git a/pkg/cri/server/container_create_linux.go b/pkg/cri/server/container_create_linux.go
@@ -260,6 +260,8 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
 		customopts.WithSupplementalGroups(supplementalGroups),
 		customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeContainer),
 		customopts.WithAnnotation(annotations.SandboxID, sandboxID),
+		customopts.WithAnnotation(annotations.SandboxNamespace, sandboxConfig.GetMetadata().GetNamespace()),
+		customopts.WithAnnotation(annotations.SandboxName, sandboxConfig.GetMetadata().GetName()),
 		customopts.WithAnnotation(annotations.ContainerName, containerName),
 	)
 	// cgroupns is used for hiding /sys/fs/cgroup from containers.
diff --git a/pkg/cri/server/container_create_linux_test.go b/pkg/cri/server/container_create_linux_test.go
@@ -174,6 +174,12 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 
 		assert.Contains(t, spec.Annotations, annotations.ContainerType)
 		assert.EqualValues(t, spec.Annotations[annotations.ContainerType], annotations.ContainerTypeContainer)
+
+		assert.Contains(t, spec.Annotations, annotations.SandboxNamespace)
+		assert.EqualValues(t, spec.Annotations[annotations.SandboxNamespace], "test-sandbox-ns")
+
+		assert.Contains(t, spec.Annotations, annotations.SandboxName)
+		assert.EqualValues(t, spec.Annotations[annotations.SandboxName], "test-sandbox-name")
 	}
 	return config, sandboxConfig, imageConfig, specCheck
 }
diff --git a/pkg/cri/server/container_create_windows.go b/pkg/cri/server/container_create_windows.go
@@ -106,6 +106,8 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
 	specOpts = append(specOpts,
 		customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeContainer),
 		customopts.WithAnnotation(annotations.SandboxID, sandboxID),
+		customopts.WithAnnotation(annotations.SandboxNamespace, sandboxConfig.GetMetadata().GetNamespace()),
+		customopts.WithAnnotation(annotations.SandboxName, sandboxConfig.GetMetadata().GetName()),
 		customopts.WithAnnotation(annotations.ContainerName, containerName),
 	)
 	return c.runtimeSpec(id, ociRuntime.BaseRuntimeSpec, specOpts...)
diff --git a/pkg/cri/server/container_create_windows_test.go b/pkg/cri/server/container_create_windows_test.go
@@ -126,6 +126,12 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 
 		assert.Contains(t, spec.Annotations, annotations.ContainerType)
 		assert.EqualValues(t, spec.Annotations[annotations.ContainerType], annotations.ContainerTypeContainer)
+
+		assert.Contains(t, spec.Annotations, annotations.SandboxNamespace)
+		assert.EqualValues(t, spec.Annotations[annotations.SandboxNamespace], "test-sandbox-ns")
+
+		assert.Contains(t, spec.Annotations, annotations.SandboxName)
+		assert.EqualValues(t, spec.Annotations[annotations.SandboxName], "test-sandbox-name")
 	}
 	return config, sandboxConfig, imageConfig, specCheck
 }
diff --git a/pkg/cri/server/sandbox_run_linux.go b/pkg/cri/server/sandbox_run_linux.go
@@ -151,6 +151,8 @@ func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxC
 	specOpts = append(specOpts,
 		customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeSandbox),
 		customopts.WithAnnotation(annotations.SandboxID, id),
+		customopts.WithAnnotation(annotations.SandboxNamespace, config.GetMetadata().GetNamespace()),
+		customopts.WithAnnotation(annotations.SandboxName, config.GetMetadata().GetName()),
 		customopts.WithAnnotation(annotations.SandboxLogDir, config.GetLogDirectory()),
 	)
 
diff --git a/pkg/cri/server/sandbox_run_linux_test.go b/pkg/cri/server/sandbox_run_linux_test.go
@@ -73,6 +73,12 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
 		assert.Contains(t, spec.Annotations, annotations.ContainerType)
 		assert.EqualValues(t, spec.Annotations[annotations.ContainerType], annotations.ContainerTypeSandbox)
 
+		assert.Contains(t, spec.Annotations, annotations.SandboxNamespace)
+		assert.EqualValues(t, spec.Annotations[annotations.SandboxNamespace], "test-ns")
+
+		assert.Contains(t, spec.Annotations, annotations.SandboxName)
+		assert.EqualValues(t, spec.Annotations[annotations.SandboxName], "test-name")
+
 		assert.Contains(t, spec.Annotations, annotations.SandboxLogDir)
 		assert.EqualValues(t, spec.Annotations[annotations.SandboxLogDir], "test-log-directory")
 
diff --git a/pkg/cri/server/sandbox_run_windows.go b/pkg/cri/server/sandbox_run_windows.go
@@ -64,6 +64,8 @@ func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxC
 	specOpts = append(specOpts,
 		customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeSandbox),
 		customopts.WithAnnotation(annotations.SandboxID, id),
+		customopts.WithAnnotation(annotations.SandboxNamespace, config.GetMetadata().GetNamespace()),
+		customopts.WithAnnotation(annotations.SandboxName, config.GetMetadata().GetName()),
 		customopts.WithAnnotation(annotations.SandboxLogDir, config.GetLogDirectory()),
 	)
 
diff --git a/pkg/cri/server/sandbox_run_windows_test.go b/pkg/cri/server/sandbox_run_windows_test.go
@@ -64,6 +64,12 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
 		assert.Contains(t, spec.Annotations, annotations.ContainerType)
 		assert.EqualValues(t, spec.Annotations[annotations.ContainerType], annotations.ContainerTypeSandbox)
 
+		assert.Contains(t, spec.Annotations, annotations.SandboxNamespace)
+		assert.EqualValues(t, spec.Annotations[annotations.SandboxNamespace], "test-ns")
+
+		assert.Contains(t, spec.Annotations, annotations.SandboxName)
+		assert.EqualValues(t, spec.Annotations[annotations.SandboxName], "test-name")
+
 		assert.Contains(t, spec.Annotations, annotations.SandboxLogDir)
 		assert.EqualValues(t, spec.Annotations[annotations.SandboxLogDir], "test-log-directory")
 	}

Original file line number	Diff line number	Diff line change
`@@ -260,6 +260,8 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3`
`260`	`260`	`customopts.WithSupplementalGroups(supplementalGroups),`
`261`	`261`	`customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeContainer),`
`262`	`262`	`customopts.WithAnnotation(annotations.SandboxID, sandboxID),`
	`263`	`+ customopts.WithAnnotation(annotations.SandboxNamespace, sandboxConfig.GetMetadata().GetNamespace()),`
	`264`	`+ customopts.WithAnnotation(annotations.SandboxName, sandboxConfig.GetMetadata().GetName()),`
`263`	`265`	`customopts.WithAnnotation(annotations.ContainerName, containerName),`
`264`	`266`	`)`
`265`	`267`	`// cgroupns is used for hiding /sys/fs/cgroup from containers.`
Original file line number	Diff line number	Diff line change
`@@ -174,6 +174,12 @@ func getCreateContainerTestData() (runtime.ContainerConfig, runtime.PodSandbox`
`174`	`174`
`175`	`175`	`assert.Contains(t, spec.Annotations, annotations.ContainerType)`
`176`	`176`	`assert.EqualValues(t, spec.Annotations[annotations.ContainerType], annotations.ContainerTypeContainer)`
	`177`	`+`
	`178`	`+ assert.Contains(t, spec.Annotations, annotations.SandboxNamespace)`
	`179`	`+ assert.EqualValues(t, spec.Annotations[annotations.SandboxNamespace], "test-sandbox-ns")`
	`180`	`+`
	`181`	`+ assert.Contains(t, spec.Annotations, annotations.SandboxName)`
	`182`	`+ assert.EqualValues(t, spec.Annotations[annotations.SandboxName], "test-sandbox-name")`
`177`	`183`	`}`
`178`	`184`	`return config, sandboxConfig, imageConfig, specCheck`
`179`	`185`	`}`
Original file line number	Diff line number	Diff line change
`@@ -106,6 +106,8 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3`
`106`	`106`	`specOpts = append(specOpts,`
`107`	`107`	`customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeContainer),`
`108`	`108`	`customopts.WithAnnotation(annotations.SandboxID, sandboxID),`
	`109`	`+ customopts.WithAnnotation(annotations.SandboxNamespace, sandboxConfig.GetMetadata().GetNamespace()),`
	`110`	`+ customopts.WithAnnotation(annotations.SandboxName, sandboxConfig.GetMetadata().GetName()),`
`109`	`111`	`customopts.WithAnnotation(annotations.ContainerName, containerName),`
`110`	`112`	`)`
`111`	`113`	`return c.runtimeSpec(id, ociRuntime.BaseRuntimeSpec, specOpts...)`
Original file line number	Diff line number	Diff line change
`@@ -126,6 +126,12 @@ func getCreateContainerTestData() (runtime.ContainerConfig, runtime.PodSandbox`
`126`	`126`
`127`	`127`	`assert.Contains(t, spec.Annotations, annotations.ContainerType)`
`128`	`128`	`assert.EqualValues(t, spec.Annotations[annotations.ContainerType], annotations.ContainerTypeContainer)`
	`129`	`+`
	`130`	`+ assert.Contains(t, spec.Annotations, annotations.SandboxNamespace)`
	`131`	`+ assert.EqualValues(t, spec.Annotations[annotations.SandboxNamespace], "test-sandbox-ns")`
	`132`	`+`
	`133`	`+ assert.Contains(t, spec.Annotations, annotations.SandboxName)`
	`134`	`+ assert.EqualValues(t, spec.Annotations[annotations.SandboxName], "test-sandbox-name")`
`129`	`135`	`}`
`130`	`136`	`return config, sandboxConfig, imageConfig, specCheck`
`131`	`137`	`}`
Original file line number	Diff line number	Diff line change
`@@ -151,6 +151,8 @@ func (c criService) sandboxContainerSpec(id string, config runtime.PodSandboxC`
`151`	`151`	`specOpts = append(specOpts,`
`152`	`152`	`customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeSandbox),`
`153`	`153`	`customopts.WithAnnotation(annotations.SandboxID, id),`
	`154`	`+ customopts.WithAnnotation(annotations.SandboxNamespace, config.GetMetadata().GetNamespace()),`
	`155`	`+ customopts.WithAnnotation(annotations.SandboxName, config.GetMetadata().GetName()),`
`154`	`156`	`customopts.WithAnnotation(annotations.SandboxLogDir, config.GetLogDirectory()),`
`155`	`157`	`)`
`156`	`158`
Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,8 @@ func (c criService) sandboxContainerSpec(id string, config runtime.PodSandboxC`
`64`	`64`	`specOpts = append(specOpts,`
`65`	`65`	`customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeSandbox),`
`66`	`66`	`customopts.WithAnnotation(annotations.SandboxID, id),`
	`67`	`+ customopts.WithAnnotation(annotations.SandboxNamespace, config.GetMetadata().GetNamespace()),`
	`68`	`+ customopts.WithAnnotation(annotations.SandboxName, config.GetMetadata().GetName()),`
`67`	`69`	`customopts.WithAnnotation(annotations.SandboxLogDir, config.GetLogDirectory()),`
`68`	`70`	`)`
`69`	`71`