Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Add namespace targeting mode to CRI and kubelet #84731
What type of PR is this?
What this PR does / why we need it: This adds a TARGET NamespaceMode to the CRI and implements namespace targeting for the PID namespace in the kubelet. This is necessary to implement the TargetContainerName field of EphemeralContainer.
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
We discussed this in sig-node today. One concern brought up is who is going to reap the ephemeral container processes.
Actually the ephemeral container process targeting a container is similar with
And here is something we found when we were dealing with an internal exec process leakage:
Given so, I believe:
yujuhong left a comment
If the target pod uses shared pid namespace, there wouldn't have reaping problem, right? Maybe we should add this in the feature description to warn the users.
Also, since this is for debugging/troubleshooting, users may still want to do this even with the possibility of leakage.
Discussed with @yujuhong offline.
Yeah, during the meeting we only brought up the concern about the process reaping thing, but we didn't know the exact impact. If #84731 (comment) is the only impact, it seems fine to us, because:
Maybe a clear document for this case is good enough?
1 similar comment
[APPROVALNOTIFIER] This PR is APPROVED
The full list of commands accepted by this bot can be found here.
The pull request process is described here
2 similar comments