Skip to content

Commit

Permalink
Set HostUsers=false for unprivileged build pods + UserNamespaces
Browse files Browse the repository at this point in the history
If the UserNamespacesStatelessPodsSupport feature is enabled, set
HostUsers=false for unprivileged build pods, in addition to the
non-standardized annotation that older versions of CRI-O could be
configured to accept instead.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
  • Loading branch information
nalind committed Oct 20, 2022
1 parent 762b58a commit 5dd0aaa
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions pkg/build/controller/strategy/util.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,10 @@ import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
kvalidation "k8s.io/apimachinery/pkg/util/validation"
"k8s.io/component-base/featuregate"
"k8s.io/klog/v2"
"k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/features"

buildv1 "github.com/openshift/api/build/v1"
"github.com/openshift/library-go/pkg/build/naming"
Expand Down Expand Up @@ -573,6 +575,11 @@ func setupBuilderDeviceFUSE(pod *corev1.Pod) {
func setupBuilderAutonsUser(build *buildv1.Build, vars []corev1.EnvVar, pod *corev1.Pod) {
metav1.SetMetaDataAnnotation(&pod.ObjectMeta, "io.openshift.builder", "")
metav1.SetMetaDataAnnotation(&pod.ObjectMeta, "io.kubernetes.cri-o.userns-mode", "auto:size=65536")
featureGate := featuregate.NewFeatureGate()
if featureGate.Enabled(features.UserNamespacesStatelessPodsSupport) {
f := false
pod.Spec.HostUsers = &f
}
}

// setupBuildCAs mounts certificate authorities for the build from a predetermined ConfigMap.
Expand Down

0 comments on commit 5dd0aaa

Please sign in to comment.