Added windows hostProcess cni skip

perithompson · perithompson · commit 79b369a0bb9d · 2021-08-11T22:23:49.000+01:00
Signed-off-by: Peri Thompson &lt;perit@vmware.com&gt;
diff --git a/pkg/cri/annotations/annotations.go b/pkg/cri/annotations/annotations.go
@@ -59,4 +59,7 @@ const (
 
 	// PodAnnotations are the annotations of the pod
 	PodAnnotations = "io.kubernetes.cri.pod-annotations"
+
+	// WindowsHostProcess is used by hcsshim to identify windows pods that are running HostProcesses
+	WindowsHostProcess = "microsoft.com/hostprocess-container"
 )
diff --git a/pkg/cri/server/container_create_windows.go b/pkg/cri/server/container_create_windows.go
@@ -17,6 +17,8 @@
 package server
 
 import (
+	"strconv"
+
 	"github.com/containerd/containerd/oci"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
@@ -118,6 +120,7 @@ func (c *criService) containerSpec(
 		customopts.WithAnnotation(annotations.SandboxName, sandboxConfig.GetMetadata().GetName()),
 		customopts.WithAnnotation(annotations.ContainerName, containerName),
 		customopts.WithAnnotation(annotations.ImageName, imageName),
+		customopts.WithAnnotation(annotations.WindowsHostProcess, strconv.FormatBool(sandboxConfig.GetWindows().GetSecurityContext().GetHostProcess())),
 	)
 	return c.runtimeSpec(id, ociRuntime.BaseRuntimeSpec, specOpts...)
 }
diff --git a/pkg/cri/server/container_create_windows_test.go b/pkg/cri/server/container_create_windows_test.go
@@ -72,6 +72,7 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 			SecurityContext: &runtime.WindowsContainerSecurityContext{
 				RunAsUsername:  "test-user",
 				CredentialSpec: "{\"test\": \"spec\"}",
+				HostProcess:    false,
 			},
 		},
 	}
@@ -130,6 +131,9 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 
 		assert.Contains(t, spec.Annotations, annotations.SandboxName)
 		assert.EqualValues(t, spec.Annotations[annotations.SandboxName], "test-sandbox-name")
+
+		assert.Contains(t, spec.Annotations, annotations.WindowsHostProcess)
+		assert.EqualValues(t, spec.Annotations[annotations.WindowsHostProcess], "false")
 	}
 	return config, sandboxConfig, imageConfig, specCheck
 }
diff --git a/pkg/cri/server/restart.go b/pkg/cri/server/restart.go
@@ -414,6 +414,9 @@ func (c *criService) loadSandbox(ctx context.Context, cntr containerd.Container)
 		// Don't need to load netns for host network sandbox.
 		return sandbox, nil
 	}
+	if goruntime.GOOS == "windows" && meta.Config.GetWindows().GetSecurityContext().GetHostProcess() {
+		return sandbox, nil
+	}
 	sandbox.NetNS = netns.LoadNetNS(meta.NetNSPath)
 
 	// It doesn't matter whether task is running or not. If it is running, sandbox
diff --git a/pkg/cri/server/sandbox_run.go b/pkg/cri/server/sandbox_run.go
@@ -110,12 +110,18 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
 	log.G(ctx).Debugf("Use OCI %+v for sandbox %q", ociRuntime, id)
 
 	podNetwork := true
-	// Pod network is always needed on windows.
+
 	if goruntime.GOOS != "windows" &&
 		config.GetLinux().GetSecurityContext().GetNamespaceOptions().GetNetwork() == runtime.NamespaceMode_NODE {
 		// Pod network is not needed on linux with host network.
 		podNetwork = false
 	}
+	if goruntime.GOOS == "windows" &&
+		config.GetWindows().GetSecurityContext().GetHostProcess() {
+		//Windows HostProcess pods can only run on the host network
+		podNetwork = false
+	}
+
 	if podNetwork {
 		// If it is not in host network namespace then create a namespace and set the sandbox
 		// handle. NetNSPath in sandbox metadata and NetNS is non empty only for non host network
diff --git a/pkg/cri/server/sandbox_run_windows.go b/pkg/cri/server/sandbox_run_windows.go
@@ -17,6 +17,8 @@
 package server
 
 import (
+	"strconv"
+
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/oci"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -65,6 +67,7 @@ func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxC
 		customopts.WithAnnotation(annotations.SandboxNamespace, config.GetMetadata().GetNamespace()),
 		customopts.WithAnnotation(annotations.SandboxName, config.GetMetadata().GetName()),
 		customopts.WithAnnotation(annotations.SandboxLogDir, config.GetLogDirectory()),
+		customopts.WithAnnotation(annotations.WindowsHostProcess, strconv.FormatBool(config.GetWindows().GetSecurityContext().GetHostProcess())),
 	)
 
 	return c.runtimeSpec(id, "", specOpts...)
diff --git a/pkg/cri/server/sandbox_run_windows_test.go b/pkg/cri/server/sandbox_run_windows_test.go
@@ -40,6 +40,13 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
 		LogDirectory: "test-log-directory",
 		Labels:       map[string]string{"a": "b"},
 		Annotations:  map[string]string{"c": "d"},
+		Windows: &runtime.WindowsPodSandboxConfig{
+			SecurityContext: &runtime.WindowsSandboxSecurityContext{
+				RunAsUsername:  "test-user",
+				CredentialSpec: "{\"test\": \"spec\"}",
+				HostProcess:    false,
+			},
+		},
 	}
 	imageConfig := &imagespec.ImageConfig{
 		Env:        []string{"a=b", "c=d"},
@@ -70,6 +77,9 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
 
 		assert.Contains(t, spec.Annotations, annotations.SandboxLogDir)
 		assert.EqualValues(t, spec.Annotations[annotations.SandboxLogDir], "test-log-directory")
+
+		assert.Contains(t, spec.Annotations, annotations.WindowsHostProcess)
+		assert.EqualValues(t, spec.Annotations[annotations.WindowsHostProcess], "false")
 	}
 	return config, imageConfig, specCheck
 }
diff --git a/pkg/cri/server/sandbox_status.go b/pkg/cri/server/sandbox_status.go
@@ -76,6 +76,9 @@ func (c *criService) getIPs(sandbox sandboxstore.Sandbox) (string, []string, err
 		// responsible for reporting the IP.
 		return "", nil, nil
 	}
+	if goruntime.GOOS == "windows" && config.GetWindows().GetSecurityContext().GetHostProcess() {
+		return "", nil, nil
+	}
 
 	if closed, err := sandbox.NetNS.Closed(); err != nil {
 		return "", nil, errors.Wrap(err, "check network namespace closed")

Original file line number	Diff line number	Diff line change
`@@ -59,4 +59,7 @@ const (`
`59`	`59`
`60`	`60`	`// PodAnnotations are the annotations of the pod`
`61`	`61`	`PodAnnotations = "io.kubernetes.cri.pod-annotations"`
	`62`	`+`
	`63`	`+ // WindowsHostProcess is used by hcsshim to identify windows pods that are running HostProcesses`
	`64`	`+ WindowsHostProcess = "microsoft.com/hostprocess-container"`
`62`	`65`	`)`
Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,7 @@ func getCreateContainerTestData() (runtime.ContainerConfig, runtime.PodSandbox`
`72`	`72`	`SecurityContext: &runtime.WindowsContainerSecurityContext{`
`73`	`73`	`RunAsUsername: "test-user",`
`74`	`74`	`CredentialSpec: "{\"test\": \"spec\"}",`
	`75`	`+ HostProcess: false,`
`75`	`76`	`},`
`76`	`77`	`},`
`77`	`78`	`}`
`@@ -130,6 +131,9 @@ func getCreateContainerTestData() (runtime.ContainerConfig, runtime.PodSandbox`
`130`	`131`
`131`	`132`	`assert.Contains(t, spec.Annotations, annotations.SandboxName)`
`132`	`133`	`assert.EqualValues(t, spec.Annotations[annotations.SandboxName], "test-sandbox-name")`
	`134`	`+`
	`135`	`+ assert.Contains(t, spec.Annotations, annotations.WindowsHostProcess)`
	`136`	`+ assert.EqualValues(t, spec.Annotations[annotations.WindowsHostProcess], "false")`
`133`	`137`	`}`
`134`	`138`	`return config, sandboxConfig, imageConfig, specCheck`
`135`	`139`	`}`
Original file line number	Diff line number	Diff line change
`@@ -414,6 +414,9 @@ func (c *criService) loadSandbox(ctx context.Context, cntr containerd.Container)`
`414`	`414`	`// Don't need to load netns for host network sandbox.`
`415`	`415`	`return sandbox, nil`
`416`	`416`	`}`
	`417`	`+ if goruntime.GOOS == "windows" && meta.Config.GetWindows().GetSecurityContext().GetHostProcess() {`
	`418`	`+ return sandbox, nil`
	`419`	`+ }`
`417`	`420`	`sandbox.NetNS = netns.LoadNetNS(meta.NetNSPath)`
`418`	`421`
`419`	`422`	`// It doesn't matter whether task is running or not. If it is running, sandbox`
Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,9 @@ func (c *criService) getIPs(sandbox sandboxstore.Sandbox) (string, []string, err`
`76`	`76`	`// responsible for reporting the IP.`
`77`	`77`	`return "", nil, nil`
`78`	`78`	`}`
	`79`	`+ if goruntime.GOOS == "windows" && config.GetWindows().GetSecurityContext().GetHostProcess() {`
	`80`	`+ return "", nil, nil`
	`81`	`+ }`
`79`	`82`
`80`	`83`	`if closed, err := sandbox.NetNS.Closed(); err != nil {`
`81`	`84`	`return "", nil, errors.Wrap(err, "check network namespace closed")`