Skip to content

Commit

Permalink
kubelet: add userns manager
Browse files Browse the repository at this point in the history 
it is used to allocate and keep track of the unique users ranges
assigned to each pod that runs in a user namespace.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Co-authored-by: Rodrigo Campos <rodrigoca@microsoft.com>
  • Loading branch information
@giuseppe @rata
giuseppe and rata committed Aug 3, 2022
1 parent cf8164b commit 6346228
Show file tree
Hide file tree
Showing 4 changed files with 760 additions and 0 deletions.
9 changes: 9 additions & 0 deletions pkg/kubelet/kubelet.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -837,6 +837,10 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
StateDirectory: rootDirectory,
})
klet.shutdownManager = shutdownManager
klet.usernsManager, err = MakeUserNsManager(klet)
if err != nil {
return nil, err
}
klet.admitHandlers.AddPodAdmitHandler(shutdownAdmitHandler)

// Finally, put the most recent version of the config on the Kubelet, so
Expand Down Expand Up @@ -1175,6 +1179,9 @@ type Kubelet struct {

// Handles node shutdown events for the Node.
shutdownManager nodeshutdown.Manager

// Manage user namespaces
usernsManager *usernsManager
}

// ListPodStats is delegated to StatsProvider, which implements stats.Provider interface
Expand Down Expand Up @@ -1889,6 +1896,8 @@ func (kl *Kubelet) syncTerminatedPod(ctx context.Context, pod *v1.Pod, podStatus
klog.V(4).InfoS("Pod termination removed cgroups", "pod", klog.KObj(pod), "podUID", pod.UID)
}

kl.usernsManager.Release(pod.UID)

// mark the final pod status
kl.statusManager.TerminatePod(pod)
klog.V(4).InfoS("Pod is terminated and will need no more status updates", "pod", klog.KObj(pod), "podUID", pod.UID)
Expand Down
6 changes: 6 additions & 0 deletions pkg/kubelet/kubelet_pods.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1154,6 +1154,12 @@ func (kl *Kubelet) HandlePodCleanups() error {
return err
}

// Remove orphaned pod user namespace allocations (if any).
klog.V(3).InfoS("Clean up orphaned pod user namespace allocations")
if err = kl.usernsManager.CleanupOrphanedPodUsernsAllocations(allPods, runningRuntimePods); err != nil {
klog.ErrorS(err, "Failed cleaning up orphaned pod user namespaces allocations")
}

// Remove orphaned volumes from pods that are known not to have any
// containers. Note that we pass all pods (including terminated pods) to
// the function, so that we don't remove volumes associated with terminated
Expand Down

0 comments on commit 6346228

Please sign in to comment.