[release/1.7] Throw an error if the kubelet requests mounts with uid/gid mappings

[rata]

This is a backport of #8376 to the 1.7 release branch (the only release with userns support, so the only one affected).

Please note I cherry-pick -x commit "cri: Throw an error if idmap mounts is requested", but manually did the vendor again (instead of cherry.picking) because there are other differences in the go modules.

[k8s-ci-robot]

Hi @rata. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rata]

The k8s PR has been merged, so I've updated this to do the proper vendoring and mark it ready for review.

I've opened it against branch 1.7, as that is where we need this (see #8209 for more info). I'll open a draft PR that relies on runc 1.2 for the main branch, to properly handle idmap mounts.

cc @fuweid as you were active in the issue and userns support PRs.

[dims]

/ok-to-test

[rata]

Friendly ping?

[estesp]

LGTM

[rata]

ping?

@estesp thanks! Can you maybe get another maintainer to review this too? :)

[fuweid]

sorry for missing the mention. Did we have pr to main branch? @rata

[rata]

@fuweid no, for main I've just opened a PR handling idmap mounts for volumes (in draft as it depends on runc merging another PR, containerd PR is: #8287).

Shall I make another PR like this to main and then undo it when we merge #8287 ?

[fuweid]

@rata We usually don't apply patch to release branch directly. Hope you don't mind.

I think you can just file a similar pr X to main branch so that we can know that this pr 8211 is cherry-picked from X. So the steps are

1. merge X to main
2. cherry-pick X to [release/1.7] Throw an error if the kubelet requests mounts with uid/gid mappings #8211 and merge it to release/1.7
3. rebase main to Add support for userns in stateless and stateful pods with idmap mounts (KEP-127, k8s >= 1.27) #8287

Sounds good to you?

BTW, this patch looks good to me.

[rata]

Perfect, will do that then. Thanks!

[rata]

@fuweid created the PR to main: #8376 PTAL :)

[rata]

Switching to draft until the one in main is merged, then I'll cherry-pick -x if the merge method changes the hash and switch it to ready for review

[rata]

@fuweid thanks! I updated this PR now with the cherry-pick, PTAL

[fuweid]

LGTM

[rata]

Two LGTM are enough? Or do we want to re-review as technically although the code hasn't changed, now the commit was cherr-picked?

[fuweid]

ping @AkihiroSuda @dmcgowan

[fuweid]

Hi @rata after change, it still needs two LGTMs.

ping @dims @mikebrow ~

[AkihiroSuda]

Non-beta might be preferable, but can be bumped up later