docs and tests: update for user namespace modes #5476
Conversation
21eb366 to
0769d8c
Compare
Codecov Report
@@ Coverage Diff @@
## main #5476 +/- ##
=======================================
Coverage 43.27% 43.28%
=======================================
Files 120 120
Lines 11995 11995
=======================================
+ Hits 5191 5192 +1
+ Misses 6309 6308 -1
Partials 495 495 |
a5cd9d6 to
45ff227
Compare
| ### CRI-O configuration | ||
| To enable pods to be able to use the userns-mode annotation, the pod must be allowed to interpret the experimental annotation `io.kubernetes.cri-o.userns-mode`. | ||
| #### 1.23.0 and beyond | ||
| In CRI-O versions greater than 1.23.0, this can be done by creating a custom workload. This can be done by creating a file with the following contents in /etc/crio/crio.conf.d/01-userns-workload.conf |
There was a problem hiding this comment.
| In CRI-O versions greater than 1.23.0, this can be done by creating a custom workload. This can be done by creating a file with the following contents in /etc/crio/crio.conf.d/01-userns-workload.conf | |
| In CRI-O versions greater than 1.23.0, create a file with the following contents in /etc/crio/crio.conf.d/01-userns-workload.conf |
"This can be done" got a little redundant.
| ## Setup | ||
|
|
||
| ### /etc/sub{g,u}id | ||
| To start, the host will have to have `/etc/subuid` and `/etc/subgid` files set correctly. By default, the [library CRI-O uses for container storage](https://github.com/containers/storage) assumes there will be entries in each of these files for the `containers` user. If one would like to have a different user's entries in `/etc/sub?id` files, then the field `remap-user` and `remap-group` can be configured in `/etc/containers/storage.conf` in the `[storage.options]` table. |
There was a problem hiding this comment.
I try to avoid pronouns on a man page. Suggest dropping "If one would like" at the start of the third sentence for instance. Etc throughout, YMMV.
| allowed_annotations = ["io.kubernetes.cri-o.userns-mode"] | ||
| ``` | ||
|
|
||
| This will allow any pod with the `io.kubernetes.cri-o.userns-mode` annotation to configure a user namespace. CRI-O opts for this approach to give admins the ability to toggle the behavior on their nodes, just in case an admin doesn't want their users to be able to create user namespace. An admin can also set a different `activation_annotation` if they'd like a different annotation to allow pods to configure user namespaces. |
There was a problem hiding this comment.
prefer "administrator" to "admin"
|
LGTM in general, just a couple Sweeney-tics to consider. |
|
/retest-required |
1 similar comment
|
/retest-required |
45ff227 to
6f2b529
Compare
link |
|
/retest-required |
7b607ea to
d98f78f
Compare
|
/retest |
d98f78f to
45fa8e7
Compare
|
@cri-o/cri-o-maintainers PTAL |
|
/retest-required |
saschagrunert
left a comment
There was a problem hiding this comment.
Just one nit, otherwise LGTM
| @@ -0,0 +1,65 @@ | |||
| # User namespaces and CRI-O | |||
There was a problem hiding this comment.
Let's link this tutorial from somewhere.
|
/retest-required |
|
@haircommander does the RHEL 7 node have the |
Signed-off-by: Peter Hunt <[email protected]>
Signed-off-by: Peter Hunt <[email protected]>
45fa8e7 to
6e3dfa2
Compare
I will try that! |
Signed-off-by: Peter Hunt <[email protected]>
Signed-off-by: Peter Hunt <[email protected]>
Signed-off-by: Peter Hunt <[email protected]>
Signed-off-by: Peter Hunt <[email protected]>
6e3dfa2 to
da8f9a0
Compare
|
/override ci/openshift-jenkins/integration_crun |
|
@haircommander: Overrode contexts on behalf of haircommander: ci/openshift-jenkins/integration_crun DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test integration_crun |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, haircommander, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
@haircommander: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/override e2e-agnostic |
|
@haircommander: /override requires a failed status context or a job name to operate on.
Only the following contexts were expected:
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/override ci/prow/e2e-agnostic |
|
@haircommander: Overrode contexts on behalf of haircommander: ci/prow/e2e-agnostic DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind documentation
/kind ci
What this PR does / why we need it:
previously, the documentation and testing around user namespaces was pretty poor. Let's update both in one feld swoop, so we know we're testing the stuff we claim works in our docs
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?