Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Promote sysctl annotations to fields #63717

Merged
merged 4 commits into from
Jun 6, 2018
Merged

Promote sysctl annotations to fields #63717

merged 4 commits into from
Jun 6, 2018

Conversation

ingvagabund
Copy link
Contributor

@ingvagabund ingvagabund commented May 11, 2018
edited by liggitt
Loading

What this PR does / why we need it:

Promoting experimental sysctl feature from annotations to API fields.

Special notes for your reviewer:

Following sysctl KEP: kubernetes/community#2093

Release note:

The Sysctls experimental feature has been promoted to beta (enabled by default via the `Sysctls` feature flag). PodSecurityPolicy and Pod objects now have fields for specifying and controlling sysctls. Alpha sysctl annotations will be ignored by 1.11+ kubelets. All alpha sysctl annotations in existing deployments must be converted to API fields to be effective.

TODO:

  • - Promote sysctl annotation in Pod spec
  • - Promote sysctl annotation in PodSecuritySpec spec
  • - Feature gate the sysctl
  • - Promote from alpha to beta
  • - docs PR - Promote sysctls to Beta website#8804

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels May 11, 2018
@k8s-github-robot k8s-github-robot added the kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API label May 11, 2018
@ingvagabund ingvagabund mentioned this pull request May 11, 2018
Closed
20 tasks
@ingvagabund ingvagabund requested a review from sttts May 11, 2018 16:13
sttts
sttts reviewed May 11, 2018
View reviewed changes
staging/src/k8s.io/api/extensions/v1beta1/types.go Outdated
// Sysctls is a white list of allowed sysctls in a pod spec. Each entry
// is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of allowed sysctls.
Sysctls []string `json:"sysctls,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

proto tags are missing

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

they got added automatically in the generation commit, but having them in this commit makes them easier to review

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved from the generated code.

php-coder
php-coder reviewed May 11, 2018
View reviewed changes
staging/src/k8s.io/api/core/v1/types.go Outdated
@@ -5001,6 +5005,8 @@ type Sysctl struct {
Name string `protobuf:"bytes,1,opt,name=name"`
// Value of a property to set
Value string `protobuf:"bytes,2,opt,name=value"`
//
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It shouldn't be empty, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated

php-coder
php-coder reviewed May 11, 2018
View reviewed changes
staging/src/k8s.io/api/extensions/v1beta1/types.go Outdated
@@ -946,6 +946,10 @@ type PodSecurityPolicySpec struct {
// is allowed in the "volumes" field.
// +optional
AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,18,rep,name=allowedFlexVolumes"`
// Sysctls is a white list of allowed sysctls in a pod spec. Each entry
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make member name lowercase as it will appear in the api doc: s/Sysctls/sysctls/

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we don't support old annotations, perhaps, we don't have to support PSP in the extensions API Group?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the semantics of empty lists vs. nil in the annotations? Does empty list mean "no sysctls allowed at all" vs. nil "use the default set" ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original functionality is respected. So

  • If the list is empty -> No sysctls are allowed
  • If the list is nil -> Use the default sysctls patterns

Copy link
Contributor Author

@ingvagabund ingvagabund May 14, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make member name lowercase as it will appear in the api doc: s/Sysctls/sysctls/

Done

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The nil/empty distinction is lost when roundtripping via serialized protobuf, and makes for a fairly confusing API

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The nil/empty distinction is lost

Don't we test this in roundtrip tests? We should.

If we change the API semantics (I don't feel strongly, I tend to agree that it is confusing), we should doc that. Do we want to?

php-coder
php-coder reviewed May 11, 2018
View reviewed changes
staging/src/k8s.io/api/policy/v1beta1/types.go Outdated
@@ -201,6 +201,10 @@ type PodSecurityPolicySpec struct {
// is allowed in the "volumes" field.
// +optional
AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,18,rep,name=allowedFlexVolumes"`
// Sysctls is a white list of allowed sysctls in a pod spec. Each entry
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make member name lowercase as it will appear in the api doc: s/Sysctls/sysctls/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@ncdc
Copy link
Member

ncdc commented May 11, 2018

/uncc

@k8s-ci-robot k8s-ci-robot removed the request for review from ncdc May 11, 2018 18:22
@ingvagabund
Copy link
Contributor Author

ingvagabund commented May 12, 2018
edited
Loading 

Expected
    <string>: kernel.shm_rmid_forced = 0
    
to contain substring
    <string>: kernel.shm_rmid_forced = 1

Hmm, for some reason the pod.securityContext.Sysctl list is not decoded correctly. The body before decoding in the apiserver:

k8s\x00\n\t\n\x02v1\x12\x03Pod\x12\xe8\x01\n=\n+sysctl-fff5b3b8-562c-11e8-8c1d-507b9deefa09\x12\x00\x1a\x00\"\x00*\x002\x008\x00B\x00z\x00\x12\x96\x01\x12R\n\x0etest-container\x12\abusybox\x1a\v/bin/sysctl\x1a\x16kernel.shm_rmid_forced*\x00B\x00j\x00r\x00\x80\x01\x00\x88\x01\x00\x90\x01\x00\xa2\x01\x00\x1a\x05Never2\x00B\x00J\x00R\x00X\x00`\x00h\x00r\x1f:\x1d\n\x16kernel.shm_rmid_forced\x12\x011\x18\x00\x82\x01\x00\x8a\x01\x00\x9a\x01\x00\xc2\x01\x00\x1a\x0e\n\x00\x1a\x00\"\x00*\x002\x00J\x00Z\x00\x1a\x00\"\x00

Once can notice the kernel.shm_rmid_forced string is contained twice. One corresponding to the command, the other one to the sysctl.

After decoding the Sysctls:[]core.Sysctl(nil)

EDIT: So the byte stream is properly unmarshalled into v1.Pod. Though, v1.Pod -> core.Pod drops the Sysctls :-|

EDIT2. Grrr, forgot to update Convert_core_PodSecurityContext_To_v1_PodSecurityContext and Convert_v1_PodSecurityContext_To_core_PodSecurityContext methods :-|

liggitt
liggitt reviewed May 12, 2018
View reviewed changes
pkg/apis/core/types.go Outdated
// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
// sysctls (by the container runtime) might fail to launch.
// +optional
Sysctls []Sysctl `json:"sysctls,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no json tags on internal types

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed

liggitt
liggitt reviewed May 12, 2018
View reviewed changes
pkg/apis/policy/types.go Outdated
// Sysctls is a white list of allowed sysctls in a pod spec. Each entry
// is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of allowed sysctls.
Sysctls []string `json:"sysctls,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove json tags from internal types

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed

@sttts
Copy link
Contributor

sttts commented Jun 5, 2018

lgtm also from my side.

@sjenning
Copy link
Contributor

sjenning commented Jun 5, 2018

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 5, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: derekwaynecarr, ingvagabund, liggitt, sjenning

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-github-robot
Copy link

[MILESTONENOTIFIER] Milestone Pull Request: Up-to-date for process

@derekwaynecarr @ingvagabund @liggitt @sjenning @tallclair @vishh

Pull Request Labels
  • sig/auth sig/node: Pull Request will be escalated to these SIGs if needed.
  • priority/critical-urgent: Never automatically move pull request out of a release milestone; continually escalate to contributor and SIG through all available channels.
  • kind/feature: New functionality.
Help

@ingvagabund ingvagabund force-pushed the promote-sysctl-annotations-to-fields branch from ad243bb to b1b28f0 Compare June 5, 2018 22:26
@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 5, 2018
@ingvagabund ingvagabund added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 5, 2018
@liggitt liggitt added release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. and removed release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Jun 5, 2018
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. labels Jun 5, 2018
@ingvagabund
Copy link
Contributor Author

/test pull-kubernetes-e2e-gce

@liggitt
Copy link
Member

liggitt commented Jun 6, 2018

/retest

1 similar comment
@liggitt
Copy link
Member

liggitt commented Jun 6, 2018

/retest

@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit b6f75ac into kubernetes:master Jun 6, 2018
@ingvagabund ingvagabund deleted the promote-sysctl-annotations-to-fields branch June 6, 2018 08:42
@AishSundar AishSundar mentioned this pull request Jun 6, 2018
Closed
This was referenced Jun 18, 2018
Closed
Merged
@rdrgmnzs rdrgmnzs mentioned this pull request Dec 7, 2018
Merged
@liggitt liggitt mentioned this pull request Feb 24, 2021
Open
20 tasks
@SataQiu SataQiu mentioned this pull request Sep 30, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@php-coder php-coder php-coder left review comments

@sjenning sjenning sjenning left review comments

@sttts sttts sttts left review comments

@liggitt liggitt liggitt left review comments

@tallclair tallclair tallclair left review comments

@derekwaynecarr derekwaynecarr derekwaynecarr approved these changes

@brendandburns brendandburns Awaiting requested review from brendandburns

@luxas luxas Awaiting requested review from luxas

@madhusudancs madhusudancs Awaiting requested review from madhusudancs

@mwielgus mwielgus Awaiting requested review from mwielgus

@pweil- pweil- Awaiting requested review from pweil-

@pwittrock pwittrock Awaiting requested review from pwittrock

@rootfs rootfs Awaiting requested review from rootfs

@soltysh soltysh Awaiting requested review from soltysh

@yujuhong yujuhong Awaiting requested review from yujuhong

Assignees

@sjenning sjenning

@liggitt liggitt

@derekwaynecarr derekwaynecarr

@vishh vishh

@tallclair tallclair

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
v1.11
Development

Successfully merging this pull request may close these issues.