Default host user namespace via experimental flag#31169
Conversation
8a3a18b to
88ed698
Compare
88ed698 to
5782fab
Compare
38887ff to
11725e4
Compare
| fs.BoolVar(&s.ProtectKernelDefaults, "protect-kernel-defaults", s.ProtectKernelDefaults, "Default kubelet behaviour for kernel tuning. If set, kubelet errors if any of kernel tunables is different than kubelet defaults.") | ||
|
|
||
| // experimental flags | ||
| fs.BoolVar(&s.ExperimentalHostUserNamespaceDefaulting, "experimental-host-user-namespace-defaulting", s.ExperimentalHostUserNamespaceDefaulting, "Default the value for UsernsMode for containers that are using other host namespaces, host mounts, or specific non-namespaced capabilities (MKNOD, SYS_MODULE, SYS_TIME). This should only be enabled is user namespace remapping is enabled in the docker daemon. [default=false]") |
There was a problem hiding this comment.
In the comment, explain what you are defaulting the value to. This description did not explain it.
11725e4 to
19a2293
Compare
| // Values must be within the range [0, 31]. Must be different from IPTablesMasqueradeBit | ||
| IPTablesDropBit int32 `json:"iptablesDropBit"` | ||
| // experimentalHostUserNamespaceDefaulting is an experimental flag to enable defaulting of the UsernsMode for | ||
| // a container. |
There was a problem hiding this comment.
Comment about this requiring remapping to be enabled in the daemon (or, ahem, container runtime?)
c675e0d to
8dfdec5
Compare
| limitations under the License. | ||
| */ | ||
|
|
||
| package kubelet |
There was a problem hiding this comment.
note to other reviewers: I asked @pweil- to name this file as such, going to put a ton of other stuff into it in a planned refactor.
|
This LGTM, I'll give others a chance to chime in. |
|
@smarterclayton @thockin is this going to be 1.4? |
8dfdec5 to
6e31039
Compare
0b06258 to
89a307a
Compare
|
rebased |
|
rebased |
|
Jenkins GKE smoke e2e failed for commit e95d29b5137878911491dab2a7e3992d84a0cb7b. Full PR test history. The magic incantation to run this job again is |
|
Jenkins GCE e2e failed for commit bdbdcdfd660e80cdcdc503e725ef2c30e4364bc3. Full PR test history. The magic incantation to run this job again is |
|
@k8s-bot cvm gce e2e test this |
|
rebased tests are green again, care to re-apply LGTM? |
|
@vishh ^ |
|
@vishh bump |
|
@saad-ali FYI this has had LGTM and has been in rebase cycles since (if you need to do any release czar maintenance) |
Ack. Thanks for the heads up. Are there any concerns about this PR in terms of risk to the 1.5 release? I see that the initial plan was to get it merged early in the 1.5 dev cycle to give it time to bake. |
|
Saad, this PR is expected to be turned off by default. So from a risk On Tue, Nov 8, 2016 at 12:27 PM, Saad Ali [email protected] wrote:
|
Agree, the feature is guarded by a feature gate and is turned off by default |
Great, thanks. |
Looks like this has approval. Retagging. |
|
Jenkins unit/integration failed for commit bdbdcdfd660e80cdcdc503e725ef2c30e4364bc3. Full PR test history. The magic incantation to run this job again is |
|
Jenkins GCE Node e2e failed for commit bdbdcdfd660e80cdcdc503e725ef2c30e4364bc3. Full PR test history. The magic incantation to run this job again is |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
@vishh @ncdc @pmorie @smarterclayton @thockin
Initial thought on the implementation #30684 (comment) wasn't quite right. Since we need to dereference a PVC in some cases the defaulting code didn't fit nicely in the docker manager code (would've coupled it with a kube client and would've been messy). I think passing this in via the runtime config turned out cleaner. PTAL
This change is