Enable per pod PID namespace setting #1392
Conversation
|
I think the CRI-O side of this needs to be a bit more nuanced than “ignore EnableSharedPIDNamespace if the kublet asks us to”. Can we deprecate #1280 is also in flight in this space, although it needs a rebase. I'm fine with this PR going in first and don't expect significant conflicts; just something to be aware of. |
|
I think that we can get rid of the flag as kube has a similar flag to enable/disable the feature. |
|
Removed the |
|
@umohnani8 Yes, we should remove the existing tests that use that flag and add another integration test that sets pid namespace sharing to pod in the sandbox config. Take a look at my PR to update k8s that we merged. It has some similar changes to network namespace handling in the integration tests. |
vendor.conf
Outdated
| @@ -1,11 +1,11 @@ | |||
| k8s.io/kubernetes 7488d1c9210e60aef9ad49f07cb5d8a24152db88 https://github.com/kubernetes/kubernetes | |||
| k8s.io/kubernetes fe0e80e8dafcdfde9778380f40346bfa75bad0f7 https://github.com/kubernetes/kubernetes | |||
There was a problem hiding this comment.
Let us switch to the latest version in release-1.0 branch and also change to the same in the e2e tests https://github.com/kubernetes-incubator/cri-o/blob/master/contrib/test/integration/main.yml#L121
There was a problem hiding this comment.
There was a problem hiding this comment.
Updated vendor and yaml to use the release 1.10 branch.
Added integration test.
|
Added test and update the main.yaml file. |
|
/test all |
| vars: | ||
| force_clone: True | ||
| k8s_git_version: "master" | ||
| k8s_git_version: "release-1.10" |
There was a problem hiding this comment.
Don't we intend to track k8s' master in our master branch?
There was a problem hiding this comment.
@wking We will track release-1.10 in master till we make a branch for it next week. At that point we can switch back to master.
| if ctx.GlobalIsSet("pids-limit") { | ||
| config.PidsLimit = ctx.GlobalInt64("pids-limit") | ||
| } | ||
| if ctx.GlobalIsSet("enable-shared-pid-namespace") { |
There was a problem hiding this comment.
Updated the man page. Thanks for catching that!
There was a problem hiding this comment.
Fixed. Removed it from helpers.bash as well. I think I got all of them now :)
|
Since we have tests passing, should we merge now and get the man page fixes in a different PR? |
These changes allow for the container's pid namespace to be set to the same as the pod infra container's namespace if the pid namespace mode is set to POD Signed-off-by: umohnani8 <[email protected]>
|
@runcom should we run tests on this? |
|
/test all |
If the pid namespace mode is set to POD, then the container's namespace should be set to the namespace of the pod infra container. Signed-off-by: umohnani8 <[email protected]>
|
restarted travis |
|
/test all |
If the pid namespace mode is set to POD, then the container's namespace
should be set to the namespace of the pod infra container.
To test this, make sure to add
FEATURE_GATES="${FEATURE_GATES},PodShareProcessNamespace=true"tohack/local-cluster-up.sh- this enable the feature.Signed-off-by: umohnani8 [email protected]