Switch CRI PID namespace to an enum

verb · verb · commit db76a1bc05d5 · 2017-09-26T15:37:00.000+02:00
diff --git a/pkg/kubelet/apis/cri/v1alpha1/runtime/api.proto b/pkg/kubelet/apis/cri/v1alpha1/runtime/api.proto
@@ -174,12 +174,18 @@ message Mount {
     MountPropagation propagation = 5;
 }
 
+enum PIDNamespace {
+    ISOLATED = 0;
+    HOST     = 1;
+    SHARED   = 2;
+}
+
 // NamespaceOption provides options for Linux namespaces.
 message NamespaceOption {
     // If set, use the host's network namespace.
     bool host_network = 1;
     // If set, use the host's PID namespace.
-    bool host_pid = 2;
+    PIDNamespace pid = 2;
     // If set, use the host's IPC namespace.
     bool host_ipc = 3;
 }
diff --git a/pkg/kubelet/dockershim/docker_sandbox.go b/pkg/kubelet/dockershim/docker_sandbox.go
@@ -397,7 +397,7 @@ func (ds *dockerService) PodSandboxStatus(podSandboxID string) (*runtimeapi.PodS
 			Namespaces: &runtimeapi.Namespace{
 				Options: &runtimeapi.NamespaceOption{
 					HostNetwork: hostNetwork,
-					HostPid:     sharesHostPid(r),
+					Pid:         pidNamespace(r),
 					HostIpc:     sharesHostIpc(r),
 				},
 			},
@@ -590,13 +590,12 @@ func sharesHostNetwork(container *dockertypes.ContainerJSON) bool {
 	return false
 }
 
-// sharesHostPid returns true if the given container is sharing the host's pid
-// namespace.
-func sharesHostPid(container *dockertypes.ContainerJSON) bool {
-	if container != nil && container.HostConfig != nil {
-		return string(container.HostConfig.PidMode) == namespaceModeHost
+// pidNamespace returns the PID Namespace mode of the given container
+func pidNamespace(container *dockertypes.ContainerJSON) runtimeapi.PIDNamespace {
+	if container != nil && container.HostConfig != nil && string(container.HostConfig.PidMode) == namespaceModeHost {
+		return runtimeapi.PIDNamespace_HOST
 	}
-	return false
+	return runtimeapi.PIDNamespace_ISOLATED
 }
 
 // sharesHostIpc returns true if the given container is sharing the host's ipc
diff --git a/pkg/kubelet/dockershim/security_context.go b/pkg/kubelet/dockershim/security_context.go
@@ -144,7 +144,7 @@ func modifyContainerNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, podSand
 // modifyCommonNamespaceOptions apply common namespace options for sandbox and container
 func modifyCommonNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, hostConfig *dockercontainer.HostConfig) {
 	if nsOpts != nil {
-		if nsOpts.HostPid {
+		if nsOpts.GetPid() == runtimeapi.PIDNamespace_HOST {
 			hostConfig.PidMode = namespaceModeHost
 		}
 		if nsOpts.HostIpc {
diff --git a/pkg/kubelet/dockershim/security_context_test.go b/pkg/kubelet/dockershim/security_context_test.go
@@ -256,7 +256,7 @@ func TestModifySandboxNamespaceOptions(t *testing.T) {
 		{
 			name: "NamespaceOption.HostPid",
 			nsOpt: &runtimeapi.NamespaceOption{
-				HostPid: set,
+				Pid: runtimeapi.PIDNamespace_HOST,
 			},
 			expected: &dockercontainer.HostConfig{
 				PidMode:     namespaceModeHost,
@@ -306,7 +306,7 @@ func TestModifyContainerNamespaceOptions(t *testing.T) {
 		{
 			name: "NamespaceOption.HostPid",
 			nsOpt: &runtimeapi.NamespaceOption{
-				HostPid: set,
+				Pid: runtimeapi.PIDNamespace_HOST,
 			},
 			expected: &dockercontainer.HostConfig{
 				NetworkMode: dockercontainer.NetworkMode(sandboxNSMode),
diff --git a/pkg/kubelet/kuberuntime/helpers.go b/pkg/kubelet/kuberuntime/helpers.go
@@ -283,3 +283,10 @@ func (m *kubeGenericRuntimeManager) getSeccompProfileFromAnnotations(annotations
 
 	return profile
 }
+
+func getPIDNamespaceForPod(pod *v1.Pod) runtimeapi.PIDNamespace {
+	if pod.Spec.HostPID {
+		return runtimeapi.PIDNamespace_HOST
+	}
+	return runtimeapi.PIDNamespace_ISOLATED
+}
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
@@ -154,7 +154,7 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
 		lc.SecurityContext.NamespaceOptions = &runtimeapi.NamespaceOption{
 			HostNetwork: pod.Spec.HostNetwork,
 			HostIpc:     pod.Spec.HostIPC,
-			HostPid:     pod.Spec.HostPID,
+			Pid:         getPIDNamespaceForPod(pod),
 		}
 
 		if sc.FSGroup != nil {
diff --git a/pkg/kubelet/kuberuntime/security_context.go b/pkg/kubelet/kuberuntime/security_context.go
@@ -51,7 +51,7 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
 	synthesized.NamespaceOptions = &runtimeapi.NamespaceOption{
 		HostNetwork: pod.Spec.HostNetwork,
 		HostIpc:     pod.Spec.HostIPC,
-		HostPid:     pod.Spec.HostPID,
+		Pid:         getPIDNamespaceForPod(pod),
 	}
 	podSc := pod.Spec.SecurityContext
 	if podSc != nil {

Original file line number	Diff line number	Diff line change
`@@ -144,7 +144,7 @@ func modifyContainerNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, podSand`
`144`	`144`	`// modifyCommonNamespaceOptions apply common namespace options for sandbox and container`
`145`	`145`	`func modifyCommonNamespaceOptions(nsOpts runtimeapi.NamespaceOption, hostConfig dockercontainer.HostConfig) {`
`146`	`146`	`if nsOpts != nil {`
`147`		`- if nsOpts.HostPid {`
	`147`	`+ if nsOpts.GetPid() == runtimeapi.PIDNamespace_HOST {`
`148`	`148`	`hostConfig.PidMode = namespaceModeHost`
`149`	`149`	`}`
`150`	`150`	`if nsOpts.HostIpc {`
Original file line number	Diff line number	Diff line change
`@@ -154,7 +154,7 @@ func (m kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod v1.Pod) (`
`154`	`154`	`lc.SecurityContext.NamespaceOptions = &runtimeapi.NamespaceOption{`
`155`	`155`	`HostNetwork: pod.Spec.HostNetwork,`
`156`	`156`	`HostIpc: pod.Spec.HostIPC,`
`157`		`- HostPid: pod.Spec.HostPID,`
	`157`	`+ Pid: getPIDNamespaceForPod(pod),`
`158`	`158`	`}`
`159`	`159`
`160`	`160`	`if sc.FSGroup != nil {`
Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ func (m kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod v1.Po`
`51`	`51`	`synthesized.NamespaceOptions = &runtimeapi.NamespaceOption{`
`52`	`52`	`HostNetwork: pod.Spec.HostNetwork,`
`53`	`53`	`HostIpc: pod.Spec.HostIPC,`
`54`		`- HostPid: pod.Spec.HostPID,`
	`54`	`+ Pid: getPIDNamespaceForPod(pod),`
`55`	`55`	`}`
`56`	`56`	`podSc := pod.Spec.SecurityContext`
`57`	`57`	`if podSc != nil {`