Set HostUsers=false for unprivileged build pods + UserNamespaces

If the UserNamespacesStatelessPodsSupport feature is enabled, set HostUsers=false for unprivileged build pods, in addition to the non-standardized annotation that older versions of CRI-O could be configured to accept instead. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
openshift · Oct 20, 2022 · 5dd0aaa · 5dd0aaa
1 parent 762b58a
commit 5dd0aaa
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/pkg/build/controller/strategy/util.go b/pkg/build/controller/strategy/util.go
@@ -11,8 +11,10 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kvalidation "k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/component-base/featuregate"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/apis/policy"
+	"k8s.io/kubernetes/pkg/features"
 
 	buildv1 "github.com/openshift/api/build/v1"
 	"github.com/openshift/library-go/pkg/build/naming"
@@ -573,6 +575,11 @@ func setupBuilderDeviceFUSE(pod *corev1.Pod) {
 func setupBuilderAutonsUser(build *buildv1.Build, vars []corev1.EnvVar, pod *corev1.Pod) {
 	metav1.SetMetaDataAnnotation(&pod.ObjectMeta, "io.openshift.builder", "")
 	metav1.SetMetaDataAnnotation(&pod.ObjectMeta, "io.kubernetes.cri-o.userns-mode", "auto:size=65536")
+	featureGate := featuregate.NewFeatureGate()
+	if featureGate.Enabled(features.UserNamespacesStatelessPodsSupport) {
+		f := false
+		pod.Spec.HostUsers = &f
+	}
 }
 
 // setupBuildCAs mounts certificate authorities for the build from a predetermined ConfigMap.