Hi @ajwock. Thanks for your PR.

I'm waiting for a cri-o member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

I am not sure this should be done by default.

Delegation is safe on cgroup v2, but I think we need to control what containers can use it. For example a container might create a lot of sub-cgroups and that could affect the host as well.

What happens if this is used without nsdelegate or a cgroup namespace? Can a container override its own limits?

Codecov Report

Merging #5277 (adfe7ba) into main (1ada8e7) will decrease coverage by 0.11%.
The diff coverage is 67.67%.

❗ Current head adfe7ba differs from pull request most recent head 10f8f17. Consider uploading reports for the commit 10f8f17 to get more accurate results

@@            Coverage Diff             @@
##             main    #5277      +/-   ##
==========================================
- Coverage   43.62%   43.50%   -0.12%     
==========================================
  Files         118      118              
  Lines       11813    11791      -22     
==========================================
- Hits         5153     5130      -23     
- Misses       6168     6169       +1     
  Partials      492      492              

From reading man 7 cgroups, it looks like using nsdelegate would prevent a vulnerability in a couple of particular cases- one, when the container's root is the real root. In that case, root could write to controller interface files in the root directory of the namespace, thus allowing the container not to follow restrictions set on the container by k8s or the CRI. The other case is when other parts of the cgroups hierarchy are exposed to the container, such as if someone hostpath mounted /sys/fs/cgroup. As the real root, a container process could move the process outside of the container's cgroup hierarchy, also allowing it not to follow container restrictions. So I think it would be good to check for nsdelegate.

Would creating a lot of descendant cgroups affect the host in a way that just creating a large number of files wouldn't also affect it?

Regardless of whether it would, it's possible to limit the number and depth of descendant cgroups with cgroup.max.depth and cgroup.max.descendants.

Perhaps this setting could be configured in crio.conf. A configuration option for enabling this feature and another option for setting the max number of descendants.

also @kolyshkin PTAL

I am in favor of having a config field to allow an admin to deny access to this

I am in favor of having a config field to allow an admin to deny access to this

IMO, it should be off by default and treated in a similar way as we do for the userns annotation

A question: since node.CgroupIsV2() is not mockable with gmock, what would be the best way to approach testing this change (if that's an expectation at all)

I mean it is possible to unit test addOCIBindMounts without that though.

A question: since node.CgroupIsV2() is not mockable with gmock, what would be the best way to approach testing this change (if that's an expectation at all)

I mean it is possible to unit test addOCIBindMounts without that though.

yeah our CreateContainer() testing is pretty lacking rn. I would recommend just testing addOCIBindMounts for now

Is there somewhere that I should write documentation for this PR?

in the allowed_annotation field in the config template (pkg/config/template.go) you could add a blurb about it. If you feel so inclined, you could also put together a tutorial describing what you've done and how you did it :) or a blog would work too, which we could link in the AWESOME.md file

/ok-to-test

What's with the
error: branch 'target' not found.
and
error: branch 'pr' not found.
?

that can be ignored, the actual error is

time="2021-09-29T16:41:43Z" level=error msg="Error copying docker://quay.io/crio/redis:alpine to dir:/go/src/github.com/cri-o/cri-o/.artifacts/redis-image: reading blob sha256:c72e0cff027d9cf1386d8c931e1a14e9e7d5bd7eb61ea0b4e24f021395ea5329: Error fetching blob: invalid status code from registry 500 (Internal Server Error)"
Error pulling docker://quay.io/crio/redis:alpine
make: *** [localintegration] Error 1

invalid status code from registry 500
Does this relate to my PR or also just something to ignore?

Okay, I fixed the ineffectual assignment issues and reformatted. Hopefully the linter is happy now.

Pinging this. Any remaining concerns (needs to be retested, perhaps?)

/retest

Phew. Could you do one more lint for me?
-after my next push, I forgot to use tabs

Is this change merge ready?

/retest
/lgtm

thanks @ajwock !

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@ajwock: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Full PR test history. Your PR dashboard.

/retest-required

Please review the full test history for this PR and help us cut down flakes.

Is there a KEP to move this to Pod spec (probably securityOptions)?

Is there a KEP to move this to Pod spec (probably securityOptions)?

Sorry that I missed this. As far as I know, there isn't one, but it would be a good idea to create one. Let me know if you plan to, I would be willing to help.

@limck5856: changing LGTM is restricted to collaborators

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ajwock, haircommander, limck5856, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here