cri: Expose runtimeHandler support for userns

Since kubernetes 1.30, the kubelet will query the runtime handlers features and only start pods with userns if the runtime handler used for that pod supports it. Let's expose the user namespace support to the kubelet. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
w13915984028 · Feb 22, 2024 · 2cd0815 · 2cd0815
1 parent 358aef4
commit 2cd0815
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/internal/cri/server/service.go b/internal/cri/server/service.go
@@ -381,6 +381,9 @@ func (c *criService) introspectRuntimeHandlers(ctx context.Context) ([]*runtime.
 					log.G(ctx).Debugf("runtime %q supports recursive read-only mounts, but the kernel does not", name)
 				}
 			}
+			userns := supportsCRIUserns(rawFeatures)
+			h.Features.UserNamespaces = userns
+			log.G(ctx).Debugf("runtime %q supports CRI userns: %v", name, userns)
 		}
 		res = append(res, &h)
 		if name == c.config.DefaultRuntimeName {
@@ -438,3 +441,20 @@ func introspectRuntimeFeatures(ctx context.Context, intro introspection.Service,
 	}
 	return features, nil
 }
+
+func supportsCRIUserns(f *features.Features) bool {
+	if f == nil {
+		return false
+	}
+	userns := slices.Contains(f.Linux.Namespaces, "user")
+
+	var idmap bool
+	if m := f.Linux.MountExtensions; m != nil && m.IDMap != nil && m.IDMap.Enabled != nil {
+		if *m.IDMap.Enabled {
+			idmap = true
+		}
+	}
+
+	// user namespace support in CRI requires userns and idmap support.
+	return userns && idmap
+}